Q. I am creating a role for IMG customizing.

SU53 is asking for other t-codes as authorization

values for S_TCODE when I hit a failure. I do not want the status of the traffic light to change to
CHANGED by adding the T-CODE directly to S_TCODE. Any input?
A. The status of the traffic lights will always be CHANGED if you change the proposed values.
You can add the values to a manually added instance of S_TCODE if that helps. Also are you
used the concept of Customizing Roles used for IMG config? Those might also help.
Q. One thing to note here, that once you specify a parent role, there is no way to delete the
relationship. You would need to delete and re-create the child? However, I created a master role
and derived a child role from it and then deleted the relationship successfully through the button
Delete Inheritance Relationship. But once i removed the relationship it cannot be reestablished between the same master and child role. Could you please help me in understanding
your lines?
A. You are right and my words in the post were confusing. As you mentioned, you can indeed
delete the relationship. Right now I am not sure what I exactly meant by my words. I might have
meant that if you want to create a role as a child, you would need to create the relationship right
at the very beginning. You cannot add a parent if the role already has t-codes added in it menu.
Anyway, I just deleted the line you quoted as it was giving wrong information.
Q. Can you please tell me how to assign or delete single transactional code from multiple roles
using e-catt script?
A. You would have to add or remove one t-code at a time and then save the role and get out of
PFCG. Think of the series of steps that you would be doing to complete these series of action.
Q. Even now, its technically feasible to directly modify authorization profiles but is strongly
discouraged from SAP, Can you tell me what the dangers of this are? There were occasions
when investigating what role I should assign to a user who could only state what transaction code
they needed, that I would initially not find it in a role using the transaction code search on
S_BCE_68001425, but if I searched via Auth Object S_TCODE on Selection according to
authorization values, I would find the transaction had been directly assigned to the profile?
A. For quite a few years now SAP has advocated maintaining roles instead of profiles.
Maintaining of roles is much simpler when SAP is doing lifting and generating the profiles.
Profile assignments also cannot be end dated.
So you can get profiles to expire.S_BCE_68001425 is the report for displaying
roles. Anything you pull up through it is a role and not a profile. The S_TCODE results just
mean that some roles have t-codes maintained at the object level rather than in the menu. This is
not the same as maintaining profiles directly.

Q. I want to give one role for 5 users that contains two transaction codes but i want to restrict one
user to access only one transaction code by giving the same role how do i do that? Could you
please help me?
Is this is an interview question? Unfortunately a lot of the times interviewers ask
questions which are either not applicable in real life or are example of rank bad design. So I
cannot help you on this one. A role should be considered to be a container of permissions (tcodes/authorization objects/etc) which is mapped to a set of actions that a user would be
performing in the SAP system. If a person needs a different set of permissions he should be
mapped to a different role.
Q. Need to do SAP HR automatic assignment of roles to users according to a staff position.
When applying for a job. Are there any ready-made solutions that need revision or Z?
A. As far as I understand the question, you want to assign a particular role to users who apply for
a particular job? At this point I dont remember how SAP represents the event of applying for a
job. If its via a OM relationship, you can use assign the role to the job object, and update the
US_ACTGR evaluation path to look for the relationship during running the user compare for
indirect org assignment. There is another post on the site which talks at length on the entire
concept of indirect role assignment via OM structure.
Q. Could you please suggest some good role naming conventions for single roles and composite
A. No client I worked on used remotely similar naming convention. You are free to use any
convention that makes sense to you. Letter codes identifying functional area, composite-single,
derived-master, display or change activities, organizational levels are commonly included in the
Q. while using su01, when we assign any role and press enter profiles are automatically called in
Profile tab. But if I assign all profiles related to one role and press enter, why role tab is not
getting updated? If I assign profiles only, will user get access? If yes then what is the exact
advantage of role assignment?
A. Maintaining roles through PFCG is much simpler than directly modifying profiles. You can
assign roles with validity dates but not profiles.
Q. there is Z transaction for a z program and the object related to this program is maintained in
SU24. But the interviewer told me that the user who is assigned with z transaction role doesnt
contain the object related to that. But still the user is able to execute the t-code. I asked him if the
pfcg automatically pulled the object from SU24, the he told he has deactivated the object but still

user is able to execute the t-code successfully without any error. How is this possible? Can you
A. There was no authority-check statement for the object in the code for the z program. SU24 by
itself doesnt help to check an object during program execution.
Q. supposes if I want to give authorizations to 2 company codes, sales organizations. In this case
where I have to give these two? In org.levels or in authorizations?
A. Since these are org levels, I would suggest updating them in the org level section. This way
any object using these fields will automatically pick the org level values.
Q. Organizational Levels do they get added to roles because of the transaction and/or objects
added? If I were to remove objects and auths from a role, would I also be removing Org Levels
from it? I guess I do not understand the relation between roles and Org Levels, and how they
appear on some roles?
A. All Org Levels are also authorization fields in at least one authorization object. So if you
remove an auth object from a role which contains an org level field (either by deleting the object
or removing the t-code which had pulled it in the first place), you would be impact the org level
list as well. In such a case, if the role doesnt have any more objects with the particular org level
field, you will no longer see it in the org level list inside the role.
Q. there is one more sub type under org level: Account type can you explain about it?
A. There are quite a few org levels in the SAP system. Different clients also configure org levels
according to their security requirements. I would suggest use the field technical help (button F1)
and try what you can find.
Q. Do you know in which table I can find the text description of org level fields? For ex. I know
WERKS is for plants. Similarly I need to find description for some more org levels?
A. Please refer to the tables USORG and USVAR. They have the data you need.
Q. how can we figure out what company codes, plants or etc exist in the system to assign in the
role in a reference to functional modules such as FICO, MM, PP, SD. and if I assign a company
code with a plant value to org field would the user only able to access to that particular plant or
plants in such company code? OR we have to do something else here to restrict a user.
A. Check the assignment of org levels under SPRO. The nodes under enterprise structure >
definition and assignment tells about the different values of org levels created and the
assignments between them. Ideally this information should come from your functional team as
they are responsible for building the enterprise structure of the company.

Q. Recently I created a parent role, Added an auth object manually which pulled Plant and
ACTVT, as the auth field Plant was an Org Level too. I maintained the Org Levels as they were
Red and set the value of Plant as *, immediately the value * was filled for auth field Plant and
everything was green and I saved and Generated and clicked on push button for values to be
inherited to the entire child. In my exp, previously too..I have done this exercise; I used to
change all the child roles for their org levels. And immediately I got into edit mode in PFCG Authorizations. Org Levels dialog used to pop up EMPTY for me to define org levels values for
say plant, company code etc. As per relevance, I used to maintain specific org level value and not
* But this time, Nothing was Red in the child role, rather when I checked the Org Levels, It had
also inherited * value for Plant, Company Code. I was surprised. Coz I never saw such behaviour
of Inheriting * in org levels in child role too.
I am very sure that in Parent I maintained Org levels as * not the manually added auth object
plant as *. I also tried reproducing the same case in test roles, and again in child, org levels
very automatically inherited as *. The main relevance/difference of org level concept is that we
can set org levels in child role and rest auth objects is inherited from parent..
A. For an org level which is not maintained with any values at the child/derived role
level, values will be copied from the parent role when you try to push the values from it.
Q. Is there any way to search a existing role via organization level?
A. I have trouble understanding the question. The AGR_1252 table gives the org
level values mapped to roles if this is what you need.
Q. Is there a report that details Org Levels by role that can be used to check build?
A. you dont need a report. Just use the table agr_1252
Q. Is org. level mightier than the fields of auth. objects? Ex.: I define Company Code in auth.
object field 4711, but define the company code under org. level *, which one overrides whom?
Is it something like Central govt. law breaks the law of a state govt. In our case, org. level
breaks the auth. field? Will be pleased for your position?
A. The company code value defined at auth level will prevail and regarding other auth values for
same company code which are unmaintained at auth level will fetch data from Org level. But
maintaining the company code at auth level in parent role will cause all the derived roles to
inherit the same for that particular object irrespective of the org level values of the derived roles.
Q. let me know the reason for not adding the ACTVT as a org level? I think, its because, any tCode addition will come with S_tode object by default?
A. Changing ACTVT to a org level would mean that all activity values in a role will have the
same values. That doesnt make sense at all.

Q. How can you change org level to field level?

A. SAP provides a standard program PFCG_ORGFIELD_DELETE for this purpose. But be very
careful before you use this program.
Q. Restrict user access to Site/Plant data based upon certain criteria. Lets just say the user has a
parameter in a custom table. This is their assigned Plant/Site. They should only be able to access
this Plants data. The Role I am using is SAP_PM_WOC_ORDER_PROCESS with specifically
the Auth Object I_SWERK. I guess I want the place I also put my code to validate the plant also.
We have not implemented an org structure and have no plans to do so?
A. SAPs way to implement this is being using the org levels within roles. So that you can
maintain the restricted value of the plant in the users role and as long as the transaction under
question actually checks I_SWERK, you are all set.
Q. Can org fields can be converted to normal field? If yes how do we handle it?
A. Search for ORGFIELD* in SA38.
Q. We have around 4000 Profit centers in our organization. Client requires authorizations based
on Profit centers only. Please let me know if creating RESPAREA as an Org Filed thru
PFCG_Orgfield_create is better option or creating a new role with auth object K_PCA only with
required restrictions and attaching it to the users along with other roles is best practice for
maintenance purpose in long run?
A. The answer would depend on how many separate groupings of cost centers and business roles
that you would need. Also, do you expect requirements to keep changing even after initial build.
Also would a single role have same level of access to all the cost centers it would have access to?
My thoughts would be to promote RESPAREA to an org level as it sounds like one in how your
enterprise structure. However, even after conversion to an org level, this field poses its own
Q. Suppose there is a role change, for EG: Maintaining plant values & company codes restriction
or addition. How a developer will know whether to change Org level values or else to change the
values in a particular object (means Activity) because same Plant & Company codes also exist in
Auth Objects. Please could you brief on this aspect?
A. good coding practice dictate never to hard code field values in your programs but always use
Q. I have a situation in my current Project- This is a small data cleanup Project. As this
organization is separated from a big enterprise, In the new system remains many unused Org

levels existing from the older parent organization .Now the task is to remove these unused org
levels from the system.
From security side there are few tasks.
1. Kindly let me know -how to remove the unused org levels from the roles and users?
2. Kindly let me know- how to remove the unused org levels and authorization fields from the
system, tables etc?
3. Kindly let me know how to differentiate or list the unused and used org levels from the
I will be waiting for your reply every minute from now. You are my life saver. Please explain me
how to proceed this small project as I am totally new and have a huge responsibility on me to
take up forward. After reading your post I have got good hope that you will help me.
Ultimate task is the security person should restrict view for all identified purchasing
organizations/sales organization/storage location in the development client?
A. What you just mentioned is a small consulting project and not just for security. It will be a
collaborative effort between the business owners who identify the obsolete org values, the
functional team who update the config entries in SPRO and finally the security analyst who
remove obsolete org values from roles.
Q. How to find who and when a field got promoted or demoted to Org field, any such tables exist
in SAP BW system?
A. You can check for the table logs for USORG and USVAR in case you have table logging
active in your SAP environment.
Q. What happens when we manually add an Auth Object to a role? Why is it not recommended
by SAP?
A. Manually adding an auth object is certainly possible but discouraged as there is no trace about
why the object was added. The better option is to update SU24 entry for the transaction which
would need the object and pull these into the role through expert mode generation.
Q. What do you mean saying *SAP doesnt pull the object during authorization maintenance in
PFCG if the t-code is added to the role* and what is the impact of not doing so..?
A. I was trying to explain the impact of the different check indicators for a t-code while adding it
to a role. For a object maintained as Check Ind Check, Proposal No, the object will not be
inserted into the authorizations for the role even if this t-code is added to the role. Hope this
Q. Discussing about the tables USOBT and USOBX. I was wondering what the difference
between these two tables is. When I checked these tables in the system, I see that USOBT table
has additional columns like authorization field and authorization value when compared against

USOBX table. Is that the only difference that USOBT also has additional columns giving more
details about the objects of the t-code? Could you elaborate your thoughts on it?
A. Open the SU22 entry for a particular t-code and also display the entries for this same t-code in
the two tables. you will get your answer. One of the USOB tables stores the check indicators
while the other stores the default values for objects.
Q. adding a check in Su24 will have no impact to security unless the code is modified as well to
include a check for the authorization object?
A. you create your own ABAP report ZREPORT_TEST to display FI data and create a t-code
ZREP to call the program. You get a requirement that only people with activity of 03 (display)
for the authorization object F_BKPF_BUK can run the report for the company code values
maintained in the role. To achieve this it wont be enough to add F_BKPF_BUK in the SU24
entry for ZREP. You would also need to add an authority-check statement in the code to actually
check for the object. Hope this makes sense!
Q. How SAP system treats check indicator C maintained in SU24 while working with actual
functionality through transaction(Example : SU01 here)?
Supportive conditions:
(C : Will not be available in PFCG for maintenance)
(CM : Will be available in PFCG for maintenance)
(Authority Checks are coded in program as per SAP standard (We will consider standard
transaction SU01 for this discussion))
Role Assigned to user with values inside: Z_ABC
Objects: S_USER*
Transaction: SU01 has many objects linked with CM (Example: S_USER*) and many with
C (Example: S_DEVELOP). So could you please explain when exactly system checks
S_DEVELOP for user ZUSER when this user will be working with SU01? and if it does
somewhere and it passes the user with functionality (without stopping user to go ahead)with even
failure as user does not have S_DEVELOP, what is the difference in maintaining them with
check or No check in SU24 (Is it not more convenient to simply having objects which are
with CM/maintainable in pfcg in SU24)?
A. A few things to keep in mind for all SAP default check entries as seen in Su24.The
check entry defaults are certainly not set in stone. SAP can and often does make mistakes in their
default values which users are supposed to catch and modify according to their needs. The
check indicators are meant for ease of maintenance when adding the t-codes to the roles. Unless
a underlying check for the corresponding authorization object is present in the ABAP code for
the t-code, no amount of fiddling with the check indicators is going to help. The only exception

to the above rule is to mark an object as do not check. An object marked as do not check will not
be needed by the user even if there is an authority-check for it in the program.
Finally the difference between check (C) and check/maintain (C/M). SAP sets an object as C/M
if these objects are checked in the code and hence needed by the user while executing the basic
functionality of the t-code, for example the S_USER* objects present for SU01. The objects
marked as checked (C) are ones which might be checked while executing some of the more
uncommon menu paths for the t-code. For example, SU01 has a check for PLOG. However, this
object will only be checked if you are trying to use PFCG for indirect role assignment through
Org Management.
Hopefully I have been successful in clearing your doubts. Personally, I consider SU24 to one of
the bed rocks on which the subsequent administration of security is based. So its very important
that every one of us, security consultants have a solid understanding of each of the different
settings in it.
Q. whats the process when we decide to not check/maintain for an existing authorization object?
Does someone have to go back to the code and remove the authority check statements? Or does
it not matter for deactivation?
A. Since we are talking mostly about standard t-codes and standard objects, there is really not an
option of removing authority-checks at the code level without a core mod. However, you can
selectively switch of the checks for non Basis and HR objects. To switch off the authority
checks, you need to set the check indicator value for the object to do not check.
Q. what happens when we put status of an authorization object as No Check, but in program it is
checked through Authority_Check statement?
A. When an auth objects is marked as do not Check in SU24, this will actually over-ride the
authority-check statement. The authority-check statement is still executed like any other
statement but the sy-subrc value is returned as 0 (zero) even if user doesnt have the object in the
user buffer. Please note that you cannot set HR and Basis objects to do not check.
Q. In su24 T-code. For example if a user is having an access of su53 t-code (access of
authorization objects like S_DEVLOP, S_USER_GRP, and S_USER_AGR & S_USER_AUTus
for). So I have changed the check status to NO for authorization object S_DEVLOP. So after
changing the status also user is having access of S_DEVLOP. What could be the reason? Why
user is getting access. What are the steps we need to do after changing the check status for
A. Maintaining SU24 and maintaining authorization values in roles are two very different things.
Dont confuse the two together.
Q. I have the following question about the USOBX_C table: If a custom transaction ZNEW is
created and the developer includes an authority check on lets say F_BKPF_BUK, what happens

if you do not make a new entry in the USOBX_C table with SU24? When the program checks
the USOBX_C table and finds nothing, does it check on the built in auth object by default? If so,
that would mean that you could decide to not transport the SU24 changes to production if you
never change anything in the check indicators but only add custom transactions with their objects
for role building purposes (and role maintenance is only done on development). Correct?
A. The check indicators in SU24 (USOB tables) are only meant to help with role maintenance. If
there is an authority check at the program level, the object would need to be present in the user
buffer for a successful execution of the program. The only exception to this rule is when you add
an object as do not check in SU24. In such a case, the SU24 entry will override the authority
check at code level.
Q. Is it possible to use custom t-codes without maintaining them in SU24? Is it mandatory to
maintain custom t-codes in su24?
If YES-ok
If NOwhere can we see the authorization objects associated with those custom t-codes
other than se93?
A. You only should think of updating SU24 for custom t-codes when the underlying program
checks for the objects. Otherwise updating Su24 wouldnt make sense.
Q. In a new implementation SCM system I see that the SU25 steps dont have any execution
dates in Step 2a, 2b 2c & 2d. However, the customer tables USOBX_C & USOBT_T are already
having values. I thought these tables should be empty and will be filled up only after I execute
those steps. The number of entries in USOBT is 35,333 whereas the number of entries in
USOBT_C has only 34,912.
1. Why do we have values in USOB*_C tables when SU25 steps have not been run yet?
2. Should I run these steps for new implementation?
A. For a new installation, you should only need to execute step 1 Initially fill the
customer tables. This is the step which pulls data into USOB*_C tables. Are you sure no one
has this yet? The fact that there is already data in the USOB*_C tables seems to indicate so. The
difference in number can also be explained if some support packs were installed after running
Step1. I think you can Step 1 again if you want to do sync with the current SAP delivered data.
You dont need to run the rest of the steps. Remember that in future upgrades, you dont run Step
1 but start with Step 2 onwards.
Q. Since I cannot show you the SU25 screen shot here i am writing down the screen prints.
Installing the Profile Generator 00:00:00
1. Initially Fill the Customer Tables 05/10/2010 17:43:48 DDIC
Post process the Settings after Upgrading to a Higher Release
2A. Preparation: Compare with SAP values 10/17/2005 17:32:31 DDIC
2B. Compare Affected Transactions ____00.00.00 _____

2C. Roles to be Checked _________00.00.00 ________

2D. Display Changed Transaction Codes ___ 00.00.00 ________
Transport Conn.
3. Transport the Customer Tables_____00.00.00 ________
Since the dates are showing as old 2010 & 2005 IS it possible they are having old T-codes and
authorizations and thus it becomes imperative to run SU25?
A. In a fresh installation, the only thing to ensure is to check that the client tables are filled up.
Rests of steps are not needed. I would think just running step 1 would work for you. However, if
you want to go ahead and run the rest of them its fine too. Just make sure that you do this in a
pre-production environment, generate the affected roles and transport the new SU24 entries once
you are done.
Q. which is there any way to mass upload the users?
Q. How does report RSU22DOWN helps in going back to earlier version? I ran this program in
my system and? I get nothing as an output?
A. RSU22DOWN program is meant to download the SU24 tables to a text file. If its
not downloading you might not be following the correct steps. Does a web search? The SAP help
article on how to use the program is in the first few search entries.
Q. roles need to be generated which are showing in RED status before transporting?
A. You should not transport roles with unmaintained values for authorization objects. So just
ensuring that roles are green wont be enough as a role with unmaintained values can still be
Q. I have executed Su25 Step 2A to 2D in ECC 6.0 system and then remediated the
affected roles with user assignment generated from Step 2C in DEV box. Now the client says do
not transport the changes i.e., Step-3 but transport the affected roles in QA system.
My question is will the remediated roles work in QA system without the customer table?
A. The customer tables need to be transported as well. Otherwise the full impact of the SU25
changes will not be experienced in QA or Prod environments.
Q. Two questions regarding step 3. In ecc system we changed su24 table manually and moved
the changes to quality but did not use step 3.Quality testing is almost completed should I
transport changes through step 3 and if done it will impact in quality?
Scenario-2 BW system no changes in su24 so did not moved to quality. Testing in quality is
completed should I move the changes through step 3?

A. If already moved the custom tables manually, re-transporting them through SU25 is not
necessary. You can verify that the latest changes are in QA by comparing the table values from
Q. SU25 step2A. Would you happen to know if step 2A transfers data? After executing step 2A,
it looks as though the data was altered in tables USOBT_C and USOBX_C. After doing some
research, I thought 2A just compared the tables USOBX and USOBT with USOBX_C and
USOBT_C. Any input would be appreciated?
A. Step 2A is not a read only step but does write data into the custom tables. If after running the
comparison between standard and custom table values, if SAP determines that there is a conflict
only then are these are displayed in 2B, otherwise the updates occur in 2A. This post talks at
length on whats happening behind the scenes.
Q. Explain the user buffer and the t code to access the buffer. Do we have role buffer as well in
A. The user buffer stores the authorizations assigned to a particular user. The transaction to view
your user buffer is SU56. I have not come across the term role buffer.
Q. how to clear the SU53 i.e. if the user is facing an error and provided su53,how can we know
which error the user is facing and how can we clear it? Could you please explain me with an
A. the SU53 transaction by design only shows the last authorization check failure for a user. If
you suspect that there might be multiple authorization failures for a single transaction, please use
the security traces (t-code ST01) for the user under test. It will give you a list of authority checks
faced by the user and can be used to troubleshoot complicated security scenarios.
Q. I have a problem in SU53 screen shot checking ,means after getting su53 screen shot from
customer what we need to check in that and what we need to find the solution on that screen
For Example I am upload one screen shot
Evaluation of Last Failed Authorization Check of User LSUWESTJ
Description Authorization values

User Name LSUWESTJ Authorization Object V_KNA1_VKO

System ECP Client 500
Date 23.09.2011 Time 10:31:07
Instance pfecpa3 Profile Parameter auth/new buffering 4

Authorization check failed

Object Class SD Sales and Distribution
Authorization Obj. V_KNA1_VKO Customer: Authorization for Sales Organizations
Authorization Field ACTVT Activity
Authorization Field SPART Division
Authorization Field VKORG Sales Organization
Authorization Field VTWEG Distribution Channel
Users Authorization Data LSUWESTJ
Object Class SD Sales and Distribution
Authorization Object V_KNA1_VKO Customer: Authorization for Sales Organizations
Authorizat. T-ED49123900 Customer: Authorization for Sales Organizations
Profl. T-ED491239 Profile for role TV_GLB_ECC_CD_0002_ORGL
Role TV_GLB_ECC_CD_0002_ORGL PF:Customer/Vendor Master Maintenance (Central)
Authorization Field ACTVT Activity
01, 02, 03, 05, 06, 08
Authorization Field SPART Division
01, 41
Authorization Field VKORG Sales Organization
1000, 3000, 4001
Authorization Field VTWEG Distribution Channel
01, 41
A. In the first portion SU53 screenshot above, SAP system is checking for V_KNA1_VKO
object with the values given. The next portion of su53 (below Users Authorization Data
LSUWESTJ) mentions the authorizations for the same object which is present with the user. The
check fails as the exact values checked by the system are not present in the user master.

A. There is button in the tool bar of Su53 transaction which allows you to switch users.
Q. how can we judge or confirm the screen shot (su53) send by end user is his last authorization
failure. Date and time is the only way or is there any another option?
A. The Su53 screenshot is designed by SAP to return the last authorization failure for a user.
However, basing your analysis on Su53 can be misleading in a large number of cases. A ST01
trace is a much better bet in such cases.

Q. I include se11 in development role assign to one user which should have ACTIVIT 01,02
(create and change).but running su53 for that screen error showing that ACTIVIT 03 display
should include in S_develope obj. how can I restrict 03 display for that development role ?
Where I need to change default value in s_develop?
A. SU53 is often misleading. Try a trace ST01. Also giving change/create in S_DEVELOP
without display doesnt make much sense.
Q. I have an issue with SU53 not recording the last authorization failure. I created a user with no
authorizations, logged in with that user, executed a transaction and it says the user has no
authorization to use that transaction. Then I logged in as a user that has authorization to execute
SU53, switched users to the user that doesnt have any authorizations and it didnt show any
authorization failures. Any idea what the problem may be? Ive never seen SU53 not work.
A. So SU53 doesnt work at all in the system? In such a case you can investigate the profile
parameters which control SU53. If its just for the one case you mentioned then I am not sure
about the problem. But would you ever actually face this problem in a real scenario?
Q. list down the return codes of ST01 with their description?
A. I have come across three return codes. There might be others as well. Not absolutely sure
RC= 0 Check for authorization successful.
RC= 4 Check for authorization unsuccessful. User has authorization object in his user buffer but
with different values than what are checked.
RC= 12 Check for authorization unsuccessful. User doesnt have authorization object in
user buffer.
A. I use general filters in ST01 to capture the trace for a single user. I am sure there will be other
uses as well.
Q. Explain same application server means, where we have to select this in tracing, could you
provide a screenshot, if possible?
A. You dont choose app server in the ST01 transaction but via SM51. SM51 will allow you to
check to which app server, a user is logged in. You then do a remote login to the same server via
SM51 and run the trace.
Q. Explain me how to use the trace analysis screen to arrive at missing authorizations using RC?
A. The options on the trace analysis screen are meant to filter the total data returned by the trace
tool. A security failure would be indicated by a return code other than 0.
Q. We can you sm50 to jump to other servers right? If we want to use st01 t-code?

A. You can use Sm50 to jump to different servers. However, you would still need to enable
security trace in the servers individually.
A. SU03 is meant for updating authorizations while SU21 is mean to update authorization
objects. Ideally you shouldnt have to modify authorizations at all.
Q. Roles by Complex Selection Criteria and search for roles with access to the transaction
SU01 and the authorization object S_USER_GRP. So that beginners can get good knowledge on
A. Think of all the SUIM reports as a very use friendly select statement and the selection
conditions you enter are part of the where clause in the query. For searching with S_USER_GRP
just put in this objects in the authorization objects section, enter the group name and execute the
report. You should get a list of roles with this user group maintained in S_USER_GRP.
Q. Which table gives the user assigned t-codes?
A. You will have to combine user_agr with agr_tcodes.
Q. LSMW doesnt work properly with methods that have branching logic, ALV grids and tree
A. if you read through my post, I have mentioned that LSMW and SECATT all have their own
features. Also, the post is targeted to security consultants who might need to use these tools for
automating their daily tasks and not so much towards experts who use SAP tools to load data as
part of conversions.
Q. can it be put in practical use if the users are on SSO since we get lots of password
reset requests.(or) else please suggest some SAP standard solution for password reset request?
A. First of all, I am not an expert in the configuration of SSO for a system. There are different
flavors of SSO being used by different clients so I would suggest looking for the specific tools
that are available for your implementation. Standard SAP security tools probably wont work as
the users are not directly logging in to the backend at all.
Q. In this case does ZSU01 calls the same program as of SU01? What all entries do we have to
maintain in SU24 for this t-code? Shortly I want to understand how the authorizations are
maintained for this customized t-code?
A. Any transaction variant calls the same program screens as the original t-code and would need
the same auth objects to be executed. You can certainly add these objects to the SU24 entries for
the new t-code (ZSU01 for instance) for easier maintenance. However manually adding the
objects to the role with ZSU01 will also work.
Q. Maintained transaction variant can we give multiple options like display, lock, unlock, edit?

A. You need to basically need to disable the entire menu options in the transaction being
recorded which you do not want the user to access.
Q. Is there a risk of not having a authorization group assigned? (&NC&) Or doest the table also
needs privileges to S_TABU_DIS /S_TABU_NAM (value 2) before they can edit the table?
A. Its a best practice to maintain an for tables. I dont remember whats the auth
group on the TBRG table but it will certainly be checked when you try to maintain it. Due to the
introduction of the S_TABU_NAM object securing individual tables are now easier than they
were with S_TABU_DIS.
Q. We have some tables in a production system which hasnt assigned an auth group these are Z
tables; the question is. How we could remediate the problem since the auditors needs
a solution for that?
A. You can just go ahead and assign auth groups for them. Also when you try to look up tables
with no explicit auth groups, the system actually checks if you have access to the auth group
&NC&. If you can make sure that no one has access to this group, auditors would be happy I
Q. how to get this switch enabled. Coz currently the table shows blank output i.e. cant see any
switch active?
A. You need to open the table in SM30/SM31 and create the entries you need. By default the
table is empty and the system behaves as per default values. You will need to create entries for
PRGN_CUST. As delivered it is blank.
Q. What Im interested in is the value-roles approach. What about your experience with creating
different roles for Transactions (T_CODE), common objects and org-levels and assigning a set
of these roles to a user knowing that the object will be provided by the additive auth. buffer?
A. I just started on a post about Value Roles. Should be ready in a few days. However, I will
confess that I am somewhat skeptical about the efficacy of value role based security design. So
you might find the article just a bit biased.
Q. How you doing. Will you please answer one of my questions? If u assign a role to user. He is
executing the role without problem but my question is user is executing t-code but he got
particular screen with missing tabs, how could we solve this problem?
A. If you are getting access to the t-code but some options are missing, there might be
subsequent security checks which are failing for the user. Use the security trace (transaction
ST01) to investigate the missing access. There is a post on this site which mentions the details of
how to use the security trace.
Q. I want to add a new auth. object to a parent role which has about 20 child roles due to
company codes and sales orgs. I have changed the parent role with the new object and generated

properly with the red-white beach ball and then transported to QA. But the in the target (QA)
system, all the child roles had red lamps in auth. flap which were previously green! What
happened? Will be pleased for your advice?
The entire concept of the lights in the authorization tab turning green/yellow/red is
controlled by the timestamp of the role and profile. Did you generate the child roles
(push authorization values) after inserting the object to the parent? Ideally both parents and child
roles should have been generated and roles and profiles of all should have been transported to
Q. Can you tell me the correct way after we have made the change to the Org Level Values of
any existing derived role?
1) After making Org Level Changes, we GENERATE Profile for that derive role there. Again go
to master and click on Generate Derived roles and then move them both in a TR?
2) After Org Level Change, we only SAVE the Derived role and not Generate the profile. Go to
Master Role and click Generate Derive roles and transport both in a TR?
A. Both of the two processes will work. The important thing to remember is to ensure that you
click the generate derived roles button from the master. Also if you create a transport for a
derived, SAP automatically includes the master in your transport.
Q. if we change the value of organizational levels in derived roles wills it affect the parent role or
there will be some error?
A. Nope. Org Level values are supposed to be updated in the child roles.
Q. I am working on master and derived role; I have updated the activities in Master role and
pushed the changes to derived roles. Now I need to carry the changes to Production system. DO I
need to transport all derived roles or just master roles to Production.
A. You would need to transport both the master and derived roles.
Q. There is a requirement from business to add and remove a t-code only from 1 derived role out
of 5 derived roles present for a parent role. Is it possible somehow to achieve this.
A. It is possible to add a t-code in derived role separately.
> add S_TCODE auth. object in derided role
> under this object add the t-codes which you want to add (in TCD field)
> after that add all associated authorization objects manually
> maintain the field values as per your requirement
> Save the role and generate the profile
Q. I have a query regarding role transports involving Parent and derived roles.

1. I know that when we transport Derived (Child) roles, the Parent role gets included in the
Transport. This I understand is the SAP standard process. Would it be possible to provide more
information related to the SAP standard process regarding this. A link to refer would definitely
2. Due to the inclusion of the master (parent roles) we end up getting a lot of Transport
collisions. We have approximately 100-150 Child roles per master role. As a result, though,
while there might be no actual changes on the Master role, and maybe only an Org level update
on the child roles for different locations, we still have to look at a lot of transport collisions, due
to changes for different locations.
My questions are:
1. if we remove the Parent/Master role from the transport, would it cause any issues. Would it
also affect the Inheritance in any way or cause any authorization issues later on..
2. Also, Will transporting only the Master role and then deriving the child roles work in the
above scenario.
A. Unfortunately I dont have a link to official documentation talking about the transport
process. If you are updating org levels, you shouldnt have to touch the master roles at all. Just
update the affected child roles with new values and generate these roles individually. Even if the
masters are automatically included in the transports, there wont be collisions as the same master
roles with the same time stamps would be included in all the transports containing the master. I
dont believe its a good idea to remove the masters manually from the transports.
Q. I am implementing the master \ derived concept for HCM at present and I have an issue with
P_ORGINCON authorization object. It would be very useful to create one master role and then
control child roles by PERSA and PROFL so that different structural auths can be assigned for
certain areas of the organizational With PERSA restricting by location and then
PROFL by business stream (cut across org structure).
At present I have the option of: a) entering all values in PROFL in master role and relying on
table T77UA being well maintained to only allow a single, appropriate profile to be brought
through for each user.
b) Leaving PROFL blank in the master and maintaining the values individually in each child role
after every update of the master role. Can you advise if it is possible or advisable to set up
PROFL as an organizational level data value via PFCG_ORGFIELD_CREATE so that it can be
maintained alongside PERSA? What issues do you foresee in doing this?
A. It all boils down to your requirements. I have used both PROFL and PERSA as both org
levels and normal authorization fields in different systems. The one problem that sometimes
comes up with PROFL as an org level is if the same role has different structural restrictions for
different info-types.

Q. If PROFL is set as organizational value, you state, that you had issues, if more than one
structural profile is used in the same role. But is the problem, not only, that you cannot control
this from the organizational tab? In the question, is it statement, that it would be possible to leave
the PROFL with *, and then relate on the entries in T77UA. But is it not so, that the
P_ORGINCON is using the profile entered in PROFL and not the profile in T77UA?
A. You can certainly have PROFL as * in the role and control the actual assignment via the
OOSB entries. Whether to promote it to an Org Level is decision based on your design of the
Q. Explain the process of transportation of composite role?
A. While transporting composites, the system offers you the option whether you want to include
the single roles making up the composite in the new transport. Unless the singles are new or have
been changed since their last transport, you can just transport the composite role.
Q. I have defined a new role and added to a composite role, but when i try to generate a transport
req., it shows me 2 check boxes, which one(s) should I set so that the other single roles keep their
A. In this case, it will be necessary for you to transport the single role (since it is a newly created
one) as well as the composite role (after the addition of the new role). So mass transport has to be
used. So, only the second check box has to be checked.
Q. Difference between composite and single roles in PFCG?
single roles are a collection of authorizations (t-codes/authorization objects)
while composite roles are collections of single role. A composite role doesnt contain any
authorizations by itself, but is the sum total of the authorizations of the component roles. There
are different buttons in the PFCG initial screen for creation of composite and single roles.
Q. Mass Generation of Composite role option is available? Same like we use to perform Mass
generation of Single Roles?
A. A composite role doesnt have a profile. How will generate a role without a profile?
Q. Anyone knows how to assign composite role in CUA parent system. It exist in PFCG but not
in SU01, Text comparison not working as its a parent system?
A. You would still need to a text comparison for the role created in the CUA central system. But
you do this from PFCG> Environment>CUA text comp for central system.
Q. explain about the taps in creating Composite and single roles. Like Description, Roles, User,

A. 1.Composite Role
Description: Its the area where you enter details of changes done for better understanding in the
future, for ex addition or deletion of a role.
Roles: this contains all the single roles a composite role contains. Any number of single roles can
be added to the composite role.
User: this is the list of users who have access to the particular composite role.
2. Single role:
Description: Its the area where you enter details of changes that are done, for ex new org values
Menu: List of transactions that a single role has access to.
Authorization: Here by clicking on Change authorization data the org values (like plant,
company code etc) can be updated or removed. This tab also contains the profile name (profile is
generated after the org values are updated).
User: this contains the list of users who have access to the particular single role.
Q. If we give roles in ecc system and also in Bi and CRM, so here my question is can we map
these roles in to composite, if yes how it happens?
A. You can map roles from multiple sap systems to a single composite. However, you need to
search on the web about the actual steps.
Q. Value Roles in my view is an outdated concept. The way I am aware of it, is little different
Transaction maintained in one Role with all objects maintained except for those involving orgs.
Org related objects are maintained in separate Value Roles. This limits the control you can have
from Security POV. As once you assign a value role it combines with all the transactional roles
and gives access at that level throughout. So if you want to restrict some roles at lower level for
that org that becomes difficult. Derived roles are a much better solution, period?
A. I agree with the gist of your thinking. The article doesnt specifically mention about putting
only the authorization objects with the org levels into the value or enabler roles. I propose to
update the post to specifically include this. Also as you mention, derived roles are a much newer
and as I too believe, to be better concept. However, there are a quite a huge number of functional
builds which still use value roles. Security in general seems on the paradigm if its not broke,
dont fix it so getting business buy in to update a system with value roles to derived roles will

prove to be difficult for most of the security consultants out there. And surprisingly, even new
builds still continue to use the value role concept. With the proper amount of documentation and
foresight, value roles enablers controllers can still be used effectively and result in much
smaller roles to maintain. For example, I have seen hybrid systems where the value roles
themselves are derived from a master so that the non org level fields are shared across a
multitude of roles.
Q. I create a MM role, but there are objects require which is FI (asset posting). Our consultant
says, it is not possible to add those because it will cross to another module. But my client needs it
to continue to their transaction. I check in SU53 and its check with no proposal. Do i need to add
it to the role, whereas my client is function as limited?
A. There would always be auth objects of different classes in a single role. There is just no way
out of it. Many MM t-codes which deal with materials posting would need access to the FI
objects which control posting.
Q. Im in a major implementation where in our scenario, we have around 200+ plants and it
seems that we would have a huge number of roles if we follow the Master/Derived concept. For
example- PM module have sorted out 7 master roles, So if we create roles for every plant then
we would have around 7*200=1400 roles for PM only.
The same situation is common for most of the modules.
So I think this transaction/value based role would suffice our problem. But its complex as you
said. What do you recommend- how should we go about building the security roles architecture?
A. I would still go with derived roles because long after your implementation is over, the derived
roles will be far more manageable than the transaction and values roles/enabler roles. A lot of the
tasks involved in creating derived roles can be automated by the use of LSMW or SECATT
scripts. You can even work with your ABAP team to help creating code for updating of org level
values. Using enabler roles will lessen your development time, if you decide to have one or two
enablers per module (like PM) instead of the 7 roles you already have. However, this would
mean that users get far more authorization objects than they need to execute the t-codes that they
have access to via the transactional roles. If down the road you need to limit access, you would
find if difficult to remove appropriate objects from the enablers.
Q. Instead of using SE16 in production system we use SE16N and also we assign it to users
requesting access to tables. Can you please make me understand the technical difference between
SE16 and SE16N other than that one is used for Change/Maintain a table and latter for display

A. SE16N is the newer version of SE16 and comes with more options. For example, I believe
you are limited to 40 selection fields in SE16, while there are no such limitations for SE16N. The
biggest difference (especially on systems without the latest service packs) is the use of
&SAP_EDIT option in SE16N. This option can actually allow a user directly to maintain a table
in SE16N without going through maintenance views. Since this feature can and often is misused,
SAP has come up with corrections to disable this in the latest service packs.
Q. Object S_DISP_NAM does not exist in ECC 6.0?
A. S_TABU_NAM? The object was introduced in one of the service packs so if you are still
running an unpatched system, the object might not be available.
Q. Is there any disadvantage by using S_TABU_NAM authorization object..?
A. Nope. But you would need to know each table that you want to restrict.
Q. Why is it not possible to have more than 1 view/table per attribute? Or is it possible and I am
missing something? This is the error I get when I try to add new entries in the table fields?
A. I can confirm that SAP will not allow you to enter multiple tables/views at this step. If you are
concerned with a small number of tables you can think of creating a separate org criterion for
each of them.
Q. Can the object S_TABU_LIN be used for SE16N & SE17? Once given for tables access can
it be restrict values in SQ00? Can you provide a solution for the same? Also need a solution that
covers lots of tables at one go? Any help will be appreciated?
A. I dont believe you can use a single org criterion for multiple tables unless you are activating
it for all tables where a field is present. Once activated, it should work for SE16N and SE17 as
well. For SQ00, whether S_TABU_LIN is checked will depend on how the underlying info-set is
designed. An Info-set created on a single table or a table join should check for S_TABU_LIN
and the rest of the basic table security.
Q. The SQVI T-code used for? Explain with the functionality?
A. It is used for creating quick reports based on table joins or info-sets. Ideally the use of SQVI
should be limited in production system as it is a resource hog and a wrongly written join can
affect performance pretty drastically.
Q. It is used for creating quick reports based on table joins or info-sets. Ideally the use of SQVI
should be limited in production system as it is a resource hog and a wrongly written join can
affect performance pretty drastically?
A. You are correct. Address data (name/email etc) cannot be modified using SU10. Also its very
easy to mistakenly keep one/more of the options in any of the different tabs checked and unwillingly modify a large number of user masters.

Q. After saving the changes in su10, it generates a log. Assume that I have accidentally closed
the log display session (without even exporting it), how can i access the log display (last screen
shot in this article) again?
A. You can navigate to GOTO>Logs from the initial screen of SU10.
Q. which format used for uploading the file? Can u show me snapshot of upload file format using
LSMW Script?
A. The file format will differ depending on the parameters you are using in your LSMW script.
In the Specify Files screen you get an option to specify the file that you are going to use for
your load. I use a Comma Separated Variable (.csv) file. To get a .csv file you basically prepare
your data in Excel and save the file as .csv instead of .xls.
Q. I am an LSMW user and have 17 programs developed by my IT team. I support Master Data.
But I am concerned that I cannot change the file name in the specify file step. Will SAP allow
that single step to be maintained by the user without opening the other Maintain steps?
A. Just changing the file name will not work. You will at least need to re-execute the rest of the
steps (here I am talking about the steps that occur after specifying the file name) as new data
from the new file needs to be read and then converted before being used in the script.
Q. I am having problem trying to use LSMW to record info-type 0585 this info-type contains a
list table within the screen. Whenever I execute the script, the last row in the list table is not
captured (I get a message that it is not found in the screen). Is there a way to overcome this?
A. Using LSMW to populate a table is always tricky as the system doesnt know where in the
table the new values are to be inserted. Though I am not familiar with this info-type, I would
suspect that a similar situation might have occurred. I am not guaranteeing that you will be able
to successfully update it using LSMW. You can try re-cording the script once again and check
that you can actually update the info-type correctly the first time.
Q. How to assign different users and different roles?
A. you are actually trying to assign different roles to different users in mass? There is no t-code
to do this. SU10 will add the same roles to multiple users. If you are familiar with ABAP, you
can actually create a custom program with the standard BAPIs that SAP provides for user
administration. I get around the problem by creating a SECATT script which adds a single role
to a single user. If you run this for a list of users and roles you end up with solving your
requirement. But even this is not a very efficient solution.
Q. When I am recording su01 for ZUSRCREATE, I am not able to get PASSWORD field in it so
I am not able to map it with PASWORD field in USRDATA?

A. I think there is a problem in your recording. Otherwise it should have been available. Try rerecording and try resetting password during the recording session. This will ensure that the
screen is captured.
Q. I created LSMW for user creation it is creating user but not assigning Role and user group.
But while recording values are populated. Even if I hard code the user group that value is not
populating for user?
A. Keep trying. A single LSMW script to create users and assign them roles will be tricky to
create. I would suggest splitting into two separate scripts.
Q. while uploading the data when I run batch input session last step it taking me to screen to
create data which I am uploading first screen is fine coming to second tab i.e. log on data tab,
fields are miss matching?
A. The field mapping (the data uploaded to the fields used in the script) is controlled by how you
map them in the initial steps of the LSMW script creation.
Q. I tried uploading the data as per the steps mentioned by you. I tested with 2 user records. In
steps 9 it shows me 2 written entries but when i check in SU01 I dont find any of the two
A. Difficult for anyone to troubleshoot without actually looking at the script. My suggestion
would be check the recording and also how the read data is being mapped to the screen fields in
the recording.
Q. I am using LSMW script to create user and assign roles. Somehow, recording working fine
for user creation, except assign role. Role assignment fields are not getting captured in the
recording. Any idea why so?
A. Nope. I believe you need to revisit the recording or to check how the input fields are being
mapped to the fields captured during recording. I would have serious doubts if role assignments
for any number of roles can be done in the same script as creating a user.
Q. Generation of the program requires Access Key. Could the SHDB process be simplified,
rather generating Program?
A. I think you would need a access key if you are using this method. Any way you will have to
modify the generated program so that it can read and process an external text file. If you dont
have an access key try using LSMW or SECATT to get your job done.
Q. Understand that we would prefer LSMW/SECATT to SHDB due to the access key issue or
ABAP coding. However, I would like to know, when it would be advisable to use LSMW and
when SECATT. Basically, I want a comparison as to which scenario which would be better?
A. It really depends on what you are more comfortable with. Both LSMW and SECATT have
their own advantages. For example to run a SECATT script, the client settings should be

modified to allow it. On the other hand, with SECATT, its feasible that you store your scripts in
a central system and run it via RFC calls in other systems.

Q. How to give $sap_edit option to a particular table?
A. This is not possible. I would recommend that you shouldnt even be thinking about giving &
sap_edit to any user at all.
Q. If a user is logging into firefighter and executing a t-code and is not able to access it and gets
an authorization error what could be the reason behind it, Assuming that firefighter has
SAP ALL access?
A. I would start with running SU53 when you run into the error while logged in as a firefighter.
Lets of SAP functionality are controlled by settings other than standard authorizations. If SU53
looks clean, it might be one of such situations.
Q. Describe BI architecture and how it relates to your security policies?
A. Searching..
Q. Can you please provide me more idea (information) about Navigation Attributes and how we
restrict these Navigational Attributes with a Business (real time) example?
A. In BI 7, you secure navigational attributes in the same way as you would secure any other
characteristics. Whether a characteristic is added to a cube as navigational or as a base
characteristic is totally dependent on the BW developer and the reporting requirements. The
navigational attributes are distinguished by a underscore (_) between the name of the base
characteristic and the attribute. (Ex 0COSTCENTER_0COMPANY_CODE). Once you have the
list of navigational attributes from the BW developer, just add them to your analysis
authorizations as you would any other characteristic.
Q. When we can use copy roles?
A. When you want to copy the authorizations maintained in a role to a new role name.
Q. If one IOBJ 0COMPANY_CODE is a base and used as nav as
0COSTCENTER_0COMPANY_CODE. Can you please let me know how the reporting affects
if we restrict authorizations to certain company code in base and nav. i.e. 1) If I give * in base
and some restriction in nav 2) If I give some restrictions in base and * in nav?

A. Both the base characteristic and the navigational attribute of 0COMPANY_CODE will hold
essentially the same data in the data warehouse and should be restricted to the same authorization
values. I can only accept giving different security values, if the data sources contain different
values. You can check with your data loading team if your BW design fits such a scenario.
Q. However if both base and nav gonna have same authorization values, then whats the
significance in making nav as authorization relevant?
A. In some design scenarios your proposal might work and even lead to less maintenance. Now,
think about a scenario where you maintain 0COMP_CODE with values: (colon) and the actual
company code values. The navigational attribute for company code is not auth relevant. You will
be able to run your queries with any value of company code and defeat any security restriction
for company code thats in place.
Q. what is the main purpose of attribute tab in RSD1?
A. Like the name suggests, the attributes tab list the attributes for an Info-Object. Attributes can
be of two types display attributes and navigational attributes. The navigational attributes of an
Info-Object can be auth relevant and this is set in this screen.
Q. If I maintain 0comp_code as: with actual company codes and the nav
0COSTCENTER_0COMP_CODE with few company codes, the user will be able to see data
only for company codes mentioned in nav?
A. Yes, as long as 0COMP_CODE is in free characteristics for the query.
Q. How are RSA1 and RSD1 different? What exactly can we do in RSD1?
A. RSD1 is used to maintain Info-Objects while RSA1 is the Admin Workbench can be used to
administer the entire data model (including Info-Objects).
Q. In portal a user is trying to fill his subordinate time details. But he is unable to do that. It is
showing error You dont have access to IT2003 But when I check in backend system the user
is having the authorization to info-type 2003 with Read access and with type I(Inclusive). Can
you please provide the authorization missing for the user?
A. Lots of things to check here. The comment on type I (inclusive) indicates that you are talking
about P_PERNR. P_PERNR authorizations will only come into play when a user tries to access
his own HR record. For others you need to look at P_ORGIN (CON), P_ORGXX (CON), etc.
You mentioned subordinates time. So are we talking about a manager updating time for
subordinate? In such a case, are structural authorizations switched on? Does the manager have
access to the subordinate through PD profiles? Does the application need read or write access to
IT 2003? The user needs P_PERNR with the value of E with Write access on info-type 2003.
Q. If a users refresh icon is grayed out what does this mean?

A. It might mean a lot of thinks depending on context. It can mean that there is no connection to
the SAP system or that users dont have execute access for the query.
Q. I have given full authorizations for all fields in s_rs_comp and deactivated the comp1 or vice
versa, will the user able to execute query?
A. Both S_RS_COMP and S_RS_COMP1 are needed to execute BEX queries.
Q. I have a BW production environment that is totally closed for editing. It is correctly
configured in SC06 and SCC4. However, I can edit queries (by using Bex Query Designer),
DTPs, info-packages and process chains. How can I avoid editing queries by using query
designer? Do I have to create a auth. object?
A. Editing queries is controlled by 2 main objects, S_RS_COMP and S_RS_COMP. Search the
documentation for either of them at sap. Help and you will get enough pointers at how to restrict
modification of queries in any environment.
Q. How to differentiated workbooks and quire reports?
A. The query is really a design view of the characteristics/ key figures which make up a Info
provider. A workbook on the other hand is the formatted result of one or more queries. To
execute/refresh a workbook you would need access to all the underlying queries and the Info
Objects in them.
A query is the technical definition of the report structure. A workbook as an excel file in which
one or more queries can be embedded. You can refresh the workbook after connecting to the BW
system, and the query in it will be refreshed and will be populated with current data. The reason
for creating workbooks is that using the same query, different report formats can be saved for
future reuse. Also users can set up their own report formats and save as workbooks in their
Q. How to restrict two users reports in BI role level/Authorization Objects level. We need only
display access. How to restrict the users in BI level?
A. Query creation/display/change is controlled by the S_RS_COMP authorization object. Feel
free to browse through the rest of the articles on BW.
Q. Im new to BI security. The new concept allows us to separately secure the navigational
attributes used in an Info-Provider. For example, the authorization object 0COSTCENTER can
have different security when it appears as an Info-Object in an Info-Provider and when it appears
as a navigational attribute for another Info-Object. In the old concept, both these cases will have
the same security?
A. You would need to understand the structure of Info-Objects and how Info-Objects are used in
Info-Providers to understand this statement. You can look at the attributes of Info-Objects

in transactions RSA1 or RSD1. Otherwise its difficult to appreciate how Info-Objects differ
from their Navigational or Display attributes.
Q. I want to know how we handle a scenario in which a user needs to be given access
to display one field in the query but another field is not included in the output.
Will using: (column) solve the issue?
A. Whether colon (:) i.e. authorization for aggregates, will work is determined by the design of
your query and whether any restriction for the field is being used. I can think of a
few cases below:
- Field not included in query : authorization will work
- Field include in query but part of the free characteristics. : authorizations will work
- Field included in rows of the query. No restriction : will not work. You need * to give access
- Field included in rows of the query and the field is restricted to particular value. : will not
work. Both * and actual restricted values can be used to give access?
Q. We have over 65 info objects which are marked as Authorization relevant. So whenever we
create authorization in analysis authorization, we need individually select * for all the objects
which we want complete access. Normally all we need is to control is access 2 couple of info
objects, but land up in declaring * for remaining large amount of info objects. It is very time
consuming. One way is to do a housekeeping of authorization relevant check of all the info
objects which need not be part of security? Is there any method to consider only info objects of
A. I can think of two options to reduce maintenance. Firstly, if you are not securing any of the 65
characteristics, you can revisit the decision of whether you really need them to
be authorization relevant. If they dont need to be auth relevant, switching off the auth relevant
flag in RSD1 will save entering them in analysis authorizations. Secondly, you can create a
single authorization with all these 65 characteristics which do not need to be secured. Maintain
all of them with * access and use this authorization for all users (maybe through a common
role?). Now you need to only create authorizations for the info objects which you really want to
Q. we are trying to restrict the user with Cost center and we have added EQ xxxx. And also
maintained another row with EQ Colon (:). now when we assigned this cost center to the user he
is still able to access the other cost centers. do you want us to remove the Colon (:) and then try
or any other way to restrict the cost center. Note we have also maintained the Hierarchy
A. Authorization values are intrinsically related the query design and the input values while
running the query. A colon (:) for cost center would allow you to run an unrestricted query
on cost center as long as cost center is not part of the rows sections in the query design. So first
check the query design and then the requirements.

Q. We have a requirement, where we have to give a particular user access to a cost center (1000
&2000) and also want to give access to aggregate value (cost centers 1000-9000). When defining
analysis authorizations I gave EQ 1000, EQ 2000 and in another line EQ :. The users can view
the amounts for 1000 and 2000 cost centers and for totals can only see (1000+2000) but not the
aggregate $ amount that a user would see with full access. Is this even possible with
: authorization?
A. Adding colon (:) for cost center should allow you to see the aggregate (totals) value for cost
center. However you mentioned that this is not working for you. This might be due to how the
queries are constructed. Are you running the queries with cost center restricted to 1000 + 2000?
If its restricted, obviously the totals will also be for these two values. However, also note that in
case, cost center is present in rows section in the query, you would actually need the
characteristic to be restricted to the two values. Otherwise you will get an authorization error. As
long as cost-center is in free characteristics, cost center is not restricted, you should be able
to display totals with: value.
Q. The query itself is not restricting to those particular cost centers. With the analysis
authorization object that I created, I can restrict what the user can drill down to with respect
to cost center. Our requirement is that the user should see cost center they are authorized to + the
aggregate value. However, I am able to give them the cost center they can access; but for the
aggregate totals they just see the total for the cost centers they are provided authorizations for.
For example
Cost center Analysis Authorization-1
EQ 1000
EQ 2000
The user can only see data for 1000, 2000 and for totals the total of 1000+2000. For total we are
expecting that with the colon authorization, user should see 1000-9000 cost centers which does
not seem to work. Is there anything our developer has to do to modify the query (with respect to
variable type used) as we are clueless what needs to be done to make this work?
A. The behaviour you are reporting is typical of the case, when you do restrict a characteristic at
the query level. Can you please confirm that you are not using an authorization variable to
restrict cost center at the query definition? If you are using an authorization variable, the query
will only pull in data for 1000+2000 during execution.
Q. the query does use an authorization variable for cost center. If we want the aggregate to show
up in totals (for: authorization to work) what type of variable should be used?
A. An authorization variable will just pull in actual values, not colon (:). As a result, you cannot
at the same time restrict a characteristic to values and expect it to return data for all cost center
values. I can think of 2 options now. Create a new version of the query where cost center is not

restricted by the authorization variable. Make sure that cost center is in the free characteristics.
This query will not allow you to drill down on cost center. A second option will be to change the
first query, so that it prompts you for the cost center during instead of just running with the
authorized values. When you want to drill down you can restrict to actual values. To see totals,
you run it unrestricted. I believe, you can set up authorization variables so that it suggests the
possible authorized values instead of running for all.
Q. Can you please briefly explain about BI Security upgrade? I need to use migration tool
(RESC_MIGRATION). Can you please provide more proactive approach for this BI Security
A. I have been involved in a few BW upgrades but nowhere was the migration tool used. I would
accept that the tool can get you 80% of the way to a successful migration but the remaining 20%
would still need to manually adjusted. If you decide to go for the tool, make sure you thoroughly
go through the SAP documentation around it and the if any manual changes would be needed for
Q. Can we use colon authorization and structural authorization at the same time? In our HR
system we follow the structural authorization on 0orgunit. And for a particular requirement, i had
to create colon on 0orgunit? My question is will the colon authorization overwrite the structural
authorization in this case?
A. Structural authorizations are implemented in BI through a customer-exit variable. So the
behaviour will be governed to a large extent by the code thats put in the customer exit. I would
suggest you take the help of an ABAP developer to check the code maintained for the exit and
see if you can incorporate the colon (:) authorization at that point.
Q. I have 3 custom Z* objects derived from 0EMPLOYEE.
ZBASIS, everyone have access.
ZPRIV, only certain ppl haves access to sensitive data.
ZFIN, only certain ppl have access to sensitive data.
I only turned on the Auth. Relevant flag for the three objects not for the attributes.
I put the 3 objects in free characteristics (no variable created).When I drag the three objects from
the free characteristics to the report. I got the error message Not enough authorization. I miss
the authorization value * for ZFIN and ZPRIV.
The user 1 may only see basis data got:
ZFIN -> :
ZPRIV -> :
The user 2 may only see basis en FIN data got:

ZFIN -> *
ZPRIV -> :
A. The error messages that you have reported already give the correct answer. However I will reiterate some of the points. An unrestricted authorization relevant characteristic in the free
characteristics of a query would require colon (:) value for it in an analysis authorization. When
you are dragging a free characteristic to the rows area just colon will not be sufficient as you are
drilling down on the characteristic. Colon is only meant to authorize access to aggregates not
detailed values. In such a case, in addition to the colon you would need to restrict the
characteristic to actual values through authorization variables or use (*) for the characteristic.
Q. I`ve to create more than 500 Analysis Authorization (unfortunately this is the only option that
we have in our company), is there a way, to create all the authorizations at one time. Some mass
creation or something similar? I know that I can update the massively, but the options there are
very limited. Probably a LSMW or could be created, but is there some standard sap
A. To my best knowledge there is no standard t-code or such to mass create analysis
authorizations in BW. If you can record a LSMW or SECATT script to do the job, I suggest
going forward with that. I have used the same technique when I had to create or update analysis
authorizations mass. However, SAP provides a FM, RSEC_INSERT_FLAT_AUTH which can
create analysis authorizations programmatically. You can ask a ABAP developer to write a
wrapper program around this to read data from a file and execute this FM with the data.
Q. I have a requirement to restrict specific cost center from detail view but the key figure total
should contain the value. It would look like this:
Cost center Amount
75000 $996,853
75010 $354,005
75020 *
75030 *
75040 $6,569,900
75050 $1,567,113
Overall Result $10,171,981
You can back into the value of the 2 restricted cost centers to be $684,110 but it doesnt show the
individual value. Ive tried many different configurations but because the security fails on 75020
and 75030 no values are returned just the failed auth message. Is there any way around this and
is the above doable within the BW security paradigm?

A. What you are trying to do cant be done with standard SAP BW security. To show the cost
centers in the detail view, you would have made sure that these values are authorized for the cost
center characteristic. On top of this if you have access to the Amount key figure; it will show
data for all the authorized characteristics. They choice you will have to make are to whether you
want to give access to the two cost center values or not.
Q. I created role with S_RS_COMP and S_RS_COMP1 and added one report to the role. I have
not assigned any analysis authorization in this role or directly to the user. Now when I am
executing the query in the system it showing you have not authorized to Info provide Ztest1 with
display access. Now my query is how can i get the analysis authorization which is having the
Info provide in table level?
A. RSECVAL table gives you the analysis authorizations already created with the values
maintained in them.
Q. For one user, I have a situation where we need to
Case 1: give access lets say 1,2,3,4 personnel areas for one Info provider 1 for query 1
case2: and 1, 2, 3 personnel areas for infoprovider2 for query2 for the same user.
I am thinking this can be solved by creating two analysis authorizations and assigning it to the
same user in S_RS_COMP and then add query1, 2 in S_RS_COMP1 in same role. I cant test it
as sufficient data is not available in Dev. Can you please let me know if the solution is ok or if
there is any alternate route?
A. Two analysis authorizations would be needed as you mention. However analysis
authorizations are maintained in S_RS_AUTH. The query authorization would need to be added
to both S_RS_COMP and S_RS_COMP1.
Q. We have a BI 7.3 security upgrade coming up and currently we are on BI 7.0, however using
the reporting authorization concept. Now that we have to move to the new analysis approach, I
have few steps to begin with, but again few queries on certain steps as this would be the first
time I would be working on BI security. Please help me understand what needs to be done here.
Step 1: Activate the authorization mode to Current procedure with Analysis authorization in
the SPRO My query here is this has to be done before upgrade or afterwards
Step 2: I hope we need to perform the SU25 upgrade here (not sure, please clarify)
Step 3: Building Analysis authorization: Do we have to activate the 3 special characteristics i.e.
0TCAVALID, 0INFOPROV? Or is it by default auth relevant.

Step4: Because we have all the reporting Roles in place and working fine, we are thinking of
redesigning the data for the queries of these Roles to the new concept.. Is this fine to go with??
Step 5: While redesigning these Roles, we need to check for the info providers that provide data
for the queries in these Roles and restrict the data accordingly in the Analysis authorizations
Now in our case when I analyzed one Role which was providing some finance related reporting I
got quite a few info objects that were auth relevant, but I am unable to find out how the data
access was provided to these in the existing process as they do not have any custom objects
which provides data. What would be the right approach to deal with this?? Do I need to consult
the BI development Team or is there any way where I can find out from the system as to how the
user is trying to access data especially some org field related ones.
Step 6: Restrict access based on either value or hierarchy authorizations. Is this again the BI
development Team who would be suggesting us??
Step 7: Add these analysis authorizations in the Role and provide access to the user, test it and
move it to further environments.
A. However I am very doubtful about how much help I can provide you here. An upgrade from
reporting to analysis authorizations is a big event and can prove challenging for seasoned
security consultants. My first suggestion is to get some real help from folks around you. Next
look at SAP documentation about the steps involved in an upgrade. This is far too important a
subject to base your actions on my website.
I will still try to answer a few of the questions
Step 1: Activate the authorization mode to Current procedure with Analysis authorization in
the SPRO Can be done after Basis upgrade has been completed.
Step 2: I hope we need to perform the SU25 upgrade here (not sure, please clarify) SU25 is a
big subject in itself. Its probably not going to make a huge difference with reporting but ideally
SU25 should be performed after each upgrade of the system.
Step 3: 0TCAVALID, 0INFOPROV check these in RSD1 after the upgrade. I believe you will
have to set them to auth relevant
Step 4: Ideally the upgrade should be transparent to the end users. So queries should remain the
same and the roles need to be updated with new authorizations. However if you to re-write some
queries as part of the upgrade, thats fine too.
Step 5: You need to get some help in how to analyze BW security. This site can provide a start
but some of it just comes out of experience. SAP has a good training program for BW security
BW 365. Try if you can go for it.

Step 6: Restrict access based on either value or hierarchy authorizations How does security
work currently? Both were supported as part of the reporting authorization.
Step 7: Once the authorizations are built, added to roles, tested you would need to move both the
roles and the analysis authorizations to production.
I will end by re-iterating that if this is indeed your first BW project, get help from someone who
has actual experience with an upgrade.
Q. Im new in SAP BW and Im in migration process to the new authorization concept.
Here is what happening: I have a role with all access to a company (*) of a provider X.
I have another role with restricted access to a company (ex: COMPANY1, COMPANY2 and
COMPANY3) of a provider Y. When I attribute those 2 roles to a user and access a query of the
provider Y, I can see all the companies when it was supposed to only see the 1, 2 and 3. What am
I doing wrong?
A. What does the authorization trace in RSECADMIN say? There might be a third authorization
which is resulting in the extra access. The trace will tell you what all is happening behind the
Q. How to set authorization relevant flag for 0TCAACTVT, 0TCAVALID, 0INFOPROV in
RSD1 .In my system i found it in uneditable mode?
A. Do you have security for changing these settings? Since these are Info Objects, this is better
done by a BI developer rather than a security person.
Q. how we can maintain the Authorization Values in Production? As the values in PROD system
are quite different from the volumes and data in DEV. I have requirement to restrict on
Hierarchy and I might need to change it in the Authorization values from time to time and can be
done only in Production as I dont have the same Hierarchy in DEV. Can anyone please help on
how I can maintain the Auth values in Production system directly?
A. If you are using hierarchies, you need to ensure that the hierarchies are maintained the same
throughout the landscape or at least the top level nodes are present. Once these nodes are present
you should modify your analysis authorizations in dev and transport to prod. Directly
maintaining this in production is a very bad idea.
Q. Is there a difference between assigning multiple info objects to the same analysis
authorization object, versus, assigning each to its own analysis authorization object (other than
the obvious need to add one vs. multiple objects to S_RS_AUTH)?
A. No difference in the two approaches except in the design philosophy.
Q. Once an analysis authorization is generated, it will no longer let me modify it. Is there a way
to get around this?

A. Maybe you have created access for S_RSEC and S_DEVELOP but not change.
Q. I was wondering if you would know if there is a way to disable the publish functionality
within the Bex Query Designer in BW 7.01. It appears that although a reporting user who has
no authorization to save queries (only has S_RS_COMP ACTVT 03,16,22) can still open the
Query Designer through the Analyzer and still publish a query to whatever role they have listed
in S_USER_AGR. I am using S_USER_AGR because the reporting users should still be able to
create workbooks and save them to the menu roles?
A. Unfortunately, SAP security doesnt distinguish between saving queries and saving
workbooks to role. And publishing to roles is just another way of saving to roles. I dont think
there is any way to restrict publishing queries without affecting the ability to save workbooks to
roles. You might try to put in some security in S_USER_AGR so that users can only save to
certain roles. Also this is just a thought, since I dont have access to a live BW system now. Try
removing activity 22 from S_RS_COMP. This should stop you from assigning queries to roles
but not sure if it will impact workbooks as well. Best of luck! Please tell us what you end up
Q. I would like to check with you on how the system checks BI auth. Does it check every
possible combination?
For e.g.: user is assigned with 2 analysis auth as below:
A: plant 1000, purchasing group (PG) 100
B: plant 2000, PG 200
When the user runs a report and fills in the fields with plant : 1000, 2000 and PG: 100, 200,
he/she will actually get no authorization. When I checked the trace, it looks like the system is
checking for:
1) Plant 1000, PG 100
2) plant 1000, PG 200
3) plant 2000, PG 100
4) plant 2000, PG 200
In this case, the authorization failed because there is no such combination for 2 and 3 in
my analysis authorization. Appreciate your advice if my understanding is correct and how do we
work around this apart from asking the user to run the report separately for plant 1000 and 2000?
A. First of all, let me thank you for asking such a great question. Understanding the behavior of
the SAP security system in different scenarios is likely to benefit others visiting the post. Now to
your question. Your interpretation about how the system is actually behaving is absolutely
correct. System checks that you have access to all 4 combinations before giving you access. So
with the two authorizations that you have, you will face an authorization error. The easy
workaround for this as you mention is to ask the user to run the report twice with the different

combinations of values. To help the user, you can actually save the combinations in two variants
and ask that these be used instead of manually keying in the values. Finally, I am not sure if you
just picked up an example with the above scenario or are actually trying to solve a business
requirement. If this is an actual requirement, you might want to check the enterprise structure
(the relationships between plants, purchasing groups and users) in your organization. Typically I
have found that buyers are assigned to purchasing groups and might be responsible for one or
more plants. So the requirement that a buyer should have different purchasing groups for
different plants is a bit different from what I have seen till now. If after further research you find
that that the buyer is really responsible for PG 100 and 200 in Plants 1000 and 2000, the
best solution would be to create a single authorization with Plant 1000, 2000 and PG 100, 200
instead of the two that you are currently using.
Q. Does St01 reports missing values of s_rs_auth object? What is that restricted user?
A. For missing S_RS_AUTH objects i.e. Analysis Authorizations; you would need to use the
trace function in the RSECADMIN transaction. I am not sure about your second question
Q. I cannot find any entry, in CMC home, although I have SAP_ALL. I.e. under Organize, there
are no entries, i.e. Folders, Users and groups? How do I get these entries?
A. SAP_ALL will not give you any rights in BOBJ. What you see in CMC is controlled by the
rights assigned to your user in BOBJ.
Q. I have deleted de administrator rights to manage user groups. Do you know how can i recover
A. There should be a default user account called administrator which should have access to
everything within BOBJ. However if you had changed the rights of the administrator group itself
then you are out of luck.

Q. Do you know the use of parameter UGR value 10 and why we have to make sure it is not
abused? Should we not assign SU3 to users so as to prevent them from updating this parameter?
A. the UGR parameter is meant for default HR user group for a person. The user group is used as
part of config entries to control the user interfaces (for example the info type entries or number
of tabs) in standard SAP HR transactions like PA20, PA30, etc. Also, this parameter just controls
the user interface. So security will always be checked in the backend and there are ways
to display info types even if they are not in the default interface. I am not aware how user group
10 has been used in your landscape as this is totally dependent on configuration. Please check
with the functional HR guys about the ways in which user group is being used in your system.
As you mention any user with access to SU3 will be able to change the default values for UGR
maintained in their user master. I dont believe taking away SU3 is the solution in this case as
this might have other implications for maintenance. However someone (a process owner) has to
take a call about the sensitivity of users changing their UGR parameters.
Q. Normally we do assign below parameters in SAP HR system:CATS_APPR_PROF ESH_LINE
MOL 45
Can you please let me know why do we have to assign them in SAP?
User Parameters in general are used to provide default values for
various transactions/applications CVR is used to provide the default time entry profile in CAT2
MOL is MOLGA or the default country grouping CATS_APPR_PROF is the default for the
CATS approval profile used by Time Approvers.
Q. Do you have a list of critical Info types/ subtypes that we should make sure are secured in any
SAP Environment?

A. but I dont have a list of critical info types which might be secured as any list will vary widely
with country or even the industry that you work for. Security for HR data is all dictated by the
privacy policies of an enterprise or the prevailing privacy related laws in the country. Its
normally not dictated by the security team. I would suggest getting in touch with the Privacy
Officer or the Chief Information Officer in your organization for guidance on what needs to be
protected. Give them a list of the info types in the system and ask what should be the protection
level for each of them.
Q. Regarding info typeswhy is info type 0105 subtype 0010 important and why is it that it
needs to be maintained?
A. Not absolutely sure, but subtype 0010 is probably for email. Check transaction SPRO for info
type configuration. You can get names of all info types/subtypes defined in system.
Q. I am working on an implementation project. When the HR person is trying to create PERNR
records via PA40, it is giving an error message No authorization to maintain actions z1 exists, is
this anything to do with info types? Any idea how to resolve this, since su53 and trace do not
catch any missing authorizations?
A. To run any actions in PA40 you need write access to info types 0000 (Actions) and 0302
(Additional Actions). My guess is Z1 is the custom action type that you are using for hiring
employees. You can use this as a subtype for IT 0000 if you have a requirement to secure actions
at action type level. However, a trace should catch this error.
Q. Whats the difference between employee and applicant in HR. Personnel Administration (PA)
data consists of attributes for people, whether employees or applicants and is stored in the PA
info types?
From a functional HCM level there might be a lot of difference and I wouldnt
claim to know all of them. In brief, an applicant is basically someone who is looking for
employment in your company. Once he is hired he becomes an employee.
The tables storing applicant data are of the form PBXXXX instead of PAXXXX which store
employee data. The transactions and authorization objects to restrict applicant data are also
different. For ex, to maintain applicant data you would use t-code PB30 and secure it via
P_APPL object. Typically security requirements around applicant data are less stringent than for
Q. Actually I have to provide table level security only for all those hr tables which have
restricted data and should only be view by responsible persons which have
required authorization. So As per till now if I restricted all tables started with PA*, PB*, HRP*,
HRP*, PCLn will this cover my requirement?

A. I think you are good with identifying the tables. We do have a few other tables which store
HR configuration data but I dont believe these will need to be separately secured because these
are not storing employee data. The key point to remember about privacy is to secure access to PII
(personally identifiable information).
Q. Difference between P_ORGIN and P_ORGXX, why and how P_ORGXX used to restrict
access? I have read the basic difference between the objects, the fields are different, but what I
do not understand is the application of this object? The fields related to various administrators,
what do they signify? DO we fill Pernr/User ID of admin.there? **A user has authorization for
data for only those time intervals when user is assigned to P_ORGXX and/or P_APPL objects.
Is it the same validity range which we enter while assigning a profile/role?
A. The fields available in P_ORGXX are different from those available in P_ORGIN. So
basically its comes down to which one of these two helps you to map your client requirements.
For time logic and period of responsibility, I will refer you to SAP documentation. I cannot
better explain the various cases than what the documentation already says.
Q. Do you happen to know what HR table contains Time & Expense data? Is it available in HR
Cluster Tables (PCL1 & PCL2 Relation ID: TE / TS)? If yes, how do you access data from
these HR Cluster Tables?
A. the HR Clusters store payroll and time evaluation results among other things. I am not sure
about the expenses data. SAP provides standard reports to read data from the clusters depending
on which of the clusters are being read. Directly reading the cluster tables would not help too
Q. Do you have any case studies of Structural Authorization being applied in ESS/MSS?
A. However, I can briefly share my own experience working on this ESS shouldnt need the use
of structural authorizations as you are basically accessing your own personnel record. The only
exception to this is a situation where every user using ESS is restricted to certain HR objects. I
have not used structural authorizations with ESS. MSS will on the other hand need structural
authorizations in all but the simplest implementations. In MSS, a line supervisor is basically
restricted to view his reports. Here in addition to the info-type access, the user can be assigned a
PD profile which traverses the standard org hierarchy. SAP provides a standard Functional
Module RH_GET_MANAGER_ASSIGNMENT to evaluate the org hierarchy dynamically at
run time. This allows a single PD profile be used for all managers. We used a similar design in
our system.
Q. What are the implications of having P_PERNR with authorization level set to *, info type set
to *, interpretation set to * and subtype set to *. Since Interpretation is set to * would the system
consider it E or would it consider it as I?

A. From a design standpoint, P_PERNR should never be used with interpretation set to * as *
might be interpreted either as E or I depending on the SAP version. Also logically * in this field
does not make any sense to me. I would also be skeptical about using * in the info type field.
Q. I am implementing ESS/MSS for a client without structural authorization. The problem I have
come across with setting up the authorization for ESS/MSS is that the webdynpro service for
display of pay slip checks the access to P_ORGIN, which will interfere with our backend payroll
access. I have read that the check should be switched off in the portal. Would you agree on this,
and how can this be achieved? The auth objects checked for webdynpro services do not appear in
A. I might be mistaken but I have not come across an situation where you could switch off
checks for P_ORGIN for a webdynpro application. If the webdynpro is calling a report in the
backend, you can investigate the use of the P_ABAP object. However, if you are just trying to
use ESS to view a persons own pay slip, P_PERNR should be enough. This object only opens
up access to a persons own personnel record so should not pose a problem to your existing
payroll security. Let me know how you end up solving the issue. This would new visitor to the
Q. For structural AUTHS to work must we need to update table T77PR (user assignment to
structural profiles)? Have been told we can assign structural AUTHS profile directly to a PFCG
role using P_orgXX. The table t7PPR will slow everything down?
A. The T77PR table holds the definition of the structural authorization while T77UA stores user
assignment for PD profiles. There are ways to get away from maintaining this table but you
would need to use a user exit to read the PD profile data from the roles. Just updating an auth
object will not work.
Q. How do you go about this situation? You want payroll administrators to be able to maintain
their bank details, personal info etc on ESS but not on the back end using PA30. How do you
restrict this from happening?
A. Cant be done with standard security. You would need your development team to code in an
enhancement for either the ESS application or for PA30.
Q. I cant understand when the authorizations for the info types restricted via P_ORGIN and
P_ORGXX, why we need PLOG object?
A. PLOG controls access to OM objects and info types. P_ORGIN and P_ORGXX control
access to PA info types.
Q. Are there any disadvantages of using COARS=2 in roles? Are there roles where we should
always use value 1 vs. using value 2?
A. Ideally you shouldnt be using P_ABAP in too many roles at all. And whenever you use
P_ABAP in roles, it should be restricted to the particular report name which should be run with

simplified security checks. Also both the possible values have their uses but in different
situations. I am giving 2 common examples:
1 is used for HR administrators who already have access to sensitive HR data. When a person
with this level of security accesses the HR data of a large number of users (like for a mass data
export for a country during payroll), a P_ABAP value with 1 can shorten the execution times.
2 is used to give non HR users (like helpdesk staff) access to non sensitive HR reports. Since a
value of 2 will make the report run without any HR security checks, if you to ensure that the
report doesnt display sensitive data. We use P_ABAP in such cases as otherwise we would have
needed to maintain P_ORGIN (ORGXX) authorizations for these users and which would in fact
allow them greater access to HR.
The Privacy Officer or Chief Information Officer can help you in the determination of sensitivity
of different data and the people who might access them. For any questions on access to HR data,
these people should always be consulted as violations might be against corporate policies or
prevalent laws.
Q. I have a question or two about context authorization. My client already has SAP HR
implemented with much needed clean up as no best practices were adopted. Currently their
context authorization is not set up but they have set up lots of existing structural profiles without
How do I assign say a Time Admin in a specific PERSA to the correct profile. I mean how do I
decide which of the matched profiles to use and how do I test. They have given me no data and
no documentation.
2. If they have assigned several objects manually in the role, how do I decide which t-codes to
assign to p_orgincon in SU24?
3. I assign the user to the structure in OOSB and also add the same profile in p_orgincon?
A. Are your clients using structural security at all? If not you can just ignore the existing profiles
and start building profiles from scratch. If you build from scratch you will probably have to do
more work up front but will have a cleaner design. Whatever the case, I would suggest that keep
the number of PD profiles to the minimum. Use PD profiles for security only when
general security can not meet the requirements. If your client already uses structural security but
now are moving to context solution, you can get an idea about the functionality of the PD
profiles from looking at OOSB and checking the roles assigned to users who are also restricted
by PD profiles. Another way to find the objects returned by a PD profile is to check the PD
profile definition in OOSP and click the I (information) button adjacent to each profile entry.

Once you have the PD profiles that are applicable for each HR role, you would need to add these
profile values to P_ORGINCON (or P_ORGXXCON) in the PROFL field. The other
field values for these objects would be the same as the corresponding P_ORGIN (or
P_ORGXX) values.
Q. I have managed to sort out a few issues with my current client. I have implemented
CONTEXT for HR. I have a few requests from my client and I cant seem to find a solution
although from a CONTEXT point of view my role design should have worked to restrict access
to IT0008 such that HR employees should be able to see their own IT008 records. 2. They should
be able to R/W/E IT0008 for all non HR associates. 3) HR should be able to R/W/E. data for all
associates in the organization including HR (that is all info-types excerpt IT008 for HR
My client doesnt want to create a PERSA for HR nor designate ORG KEY to HR. They do not
want to assign two users ID(S) to HR associates.
My solution:
1) Create a PD profile with the HR org unit as the start object.
2) Assign both ALL and the new HR PD profile to HR associates with the exclusion button
checked for the HR PD profile in OOSB (T77UA)
3)Assign the ORGANIZATION PD profile in the role that allows the user to access his/her
IT0008 records but excludes IT0008 as a value in AUTHC (0000-0007, 0009-09999)
4) The role that gets the ALL PD profile also gets IT0008 as a field value. P_PERNR=
R,IT0008, I, *.
PA, EG, ESG ORG KEY same for both roles
1. User can access his/her IT0008 records
2. User can access all records of all associates outside of the HR department
How do I solve this? Will an in-house FUNCTION MODULE work to exclude the HR during
runtime for IT008?
A. I will take a shot at this but cannot guarantee if the solution will work. For simplicitys sake I
will assume that you are currently using P_ORGINCON and P_PERNR for securing PA data.
Create a copy of the ORGANIZATION PD profile say XXX and also assign this to the HR folks
in T77UA. In the role giving PA access following authorizations will be needed.
INFTY 0000 0999

INFTY 0000-0007, 0009-0999
INFTY 0008
Other than this have you given thought to the fact that who actually updates IT 0008 for the HR
Team? Your requirement can also probably be met by using P_ORGXXCON by using separate
HR Administrator groups for the HR folks and the rest of the employees. Let me know how it
goes. Thanks for the question. First time I have come across this requirement but does sound like
something that a lot of clients can ask for.
Q. I have requested the ABAPERS to build an in-house FM that skips the HR org unit. I will see
how a combination of this FM allows restriction for IT0008 to HR associates while granting
access to all other records for other associates including HR. I will post my findings once I
2. Today, a defect was raised while accessing retiree records with CONTEXTUAL
authorization.. As I understand it, all field values will have to pass authorization checks in order
to grant access. If the PERNR (RETIREES) is accessed, how will P_ORGINCON get around it
if PROFL check does not find the PERSON (PERNR) in the ORG structure? Retirees no more
have any position assignments in the ORG structure.
3. Recently, I requested that the DEV client be copied so that I can implement the CONTEXT
solution. When a user executes SA38 and runs a report for a PERNR, it seems to work but the
system directs its output to a printer. Once print preview is pushed, it starts generating the report
but it terminates halfway through the report without generating an error message at the status
When I execute SU53, the authorization check is asking for P_ORGIN?? STRANGE!! OOAC
switches are set as ff: ADAYS=15, DFCON=2, INCON=1, ORGDP=1, PERNR=1. ORGIN=0
and everything else is set at 0. Do you think the printer settings could be the culprit? I have
already asked BASIS to reset but the error still prevails?
A. Good luck with your function module though I am a bit skeptical about the robustness of the
solution going into the future. Org units change in the course of time and a FM hard-coded to
skip a particular org might create more difficulties in the future. But as long as the business
owners are onboard, you shouldnt have to worry. After retiring, the erstwhile employees will be
part of on the so called default position (9999).The SAP systems access to these is

controlled to the different values of the DFCON switch. Check which one works for you. There
is a post in this blog which specifically talks about the DFCON switch.
Finally, the last error has anything to do with authorization. There is a user parameter (SAU) for
writing to spool which might be at fault here.
Q. Is the security team responsible for t-code PPSOSE or is it the HR Functional team? If it is the
HR functional team then how much of a role does the security team have in the managing the org
A. I think you have asked a very pertinent question and one which doesnt have any clear
cut answers. The security involvement in OM will vary with each installation. Ideally for a
installation using any SAP HCM functionality, the HR consultants or the HR end users should be
managing the org structure. At best, security will be involved in only a support/consulting role
for org structure management.
However, there are 2 areas in OM where security would be involved at a more detailed level.
Firstly if you use indirect role assignment (roles assigned to OM objects instead directly to end
users) and secondly if you use structural authorizations. There might be a third case, where OM
is implemented just to facilitate the above two security processes i.e., indirect assignment and/or
structural authorizations. In such a case, the security administrator might be expected to take
over the entire org management responsibilities.
Q. Is the security team responsible for t-code PPSOSE or is it the HR Functional team? If it is the
HR functional team then how much of a role does the security team have in the managing the org
structure. I wanted to find out if there are any pros and cons of using indirect role assignment vs.
direct role assignment. Are there additional steps that we need to take in order for the smooth
functioning of indirect role assignment?
A. The basic idea behind indirect role assignment is to reduce maintenance effort during role
assignment to users. In indirect role assignment roles are assigned to OM objects like jobs,
positions, tasks, org unit, etc. Thus any person linked to any of these objects will automatically
get the access without the security Admins having to assign roles manually. There are quite a
few technical prerequisites to fully implement indirect role assignment and I plan to cover these
in an new blog post in the near future. However, the out of the box configuration that SAP
provides are sufficient to implement some form of indirect role assignment. The critical success
factor for indirect role assignment is to understand how correctly your org hierarchy mirrors the
roles/ responsibilities of your users. Some of the questions that need to be discussed with your
business owners, functional consultants and security team are:
What is the correlation between the roles/responsibilities users and their position in the org
Who will be responsible for maintaining the org structure and how frequently?

Will users need their old access even if they move to a new position?
How will contractors be given access? Contractors are normally not part of the org structure and
dont occupy a position. So do you continue to directly assign roles to contractors or do you link
them to the org structure in some way (for example through positions/jobs/tasks)?
Are you only concerned about a central ECC system or are there other systems in the landscape
(BW, CRM, SRM, APO, etc)? Will the roles assigned in these other systems also be determined
by the users positions in ECC?
Q. I wanted to find out how do we restrict users from changing the org structure while giving
them access to update the org units (moving positions etc. in their own org units)? Would
restricting PPOM, PO10 etc be sufficient or are there other steps we have to take to secure the
Org Structure?
A. To work with OM objects (which includes org structure) users need update access to the
appropriate objects types, activities through the PLOG authorization object. You can try
restricting users to only being able to create certain relationships (subtypes for IT 1001). In case
this is not sufficient, structural authorizations can be used to restrict access to only certain
objects. I dont think restricting access to some transactions would work.
Q. how everything fits in togetherhow are the hr objects, structural authorizations, evaluation
paths and org structures interconnected in a SAP System. Its like for any system to work what
are the steps that need to be followed..i dont necessarily want to know how things are done but
just an outline as to what all should be in place for the smooth functioning of the HR piece in
A. As far as general authorizations (roles) are concerned, there is not a whole lot of difference
between HR and other functional areas. So you basically analyze the current business processes
to arrive at a suitable user-role-t-code matrix, build your roles, test the roles and move them to
production during go-live. For structural authorizations to work there are quite a few steps which
need to be configured correctly. The key thing to understand is to ensure that all the steps have
been accounted for rather than follow a set sequence of steps. I would try to follow the following
sequence but other sequences would probably work just well. Also remember that a lot of the
following steps would typically be performed by the HR consultants.
- Start with setting the authorization switches, the integration between PA and OM should also
be on (check with the HR team for this step).
- Build the org hierarchy
- Determine if new object types and/or relationships are needed. If needed configure these in
- Adjust existing evaluation paths or create new ones.
- Create PD profiles. Use static assignment of objects, evaluation paths or function modules
depending on requirements

- Decide on an assignment strategy for PD profiles (direct assignment or assignment via IT 1017
to positions/jobs/ etc). Always remember, that the sequence will change as you keep working on
your project. New requirements will come which need to be incorporated into your design.
Q. I assigned a PERNR (person) to a position in the ORG structure using T-CODE PPOSE. I
then run the reports RHBAUS02/01/00 for the user assigned the PD profile for which the ORG
unit (that incorporates the position assigned to the PERNR), is the root object. I noticed that
T77UA updated the new entries in SAP memory and I was able to see the new PERNR in
OOSB. However, when I execute PPST, I do not see the new PERNR (person) that I had
assigned in PPOSE although I can see the ORG UNIT and the other PERNRS. Why did PPST
not update to return all newly added objects? Is there a report that needs to run first in order for
this update? Info type 0001 also updated right away for the PERNR after the assignment in
PPOSE. OM is a little confusing as different views show the hierarchies differently. Which
hierarchy is reliable for building PD profiles? PPOME, PPOSE OR PPST? I know that without a
reliable picture of the ORG structure, it is impossible to build PD profile with a start object that
incorporates several org units?
A. What is the evaluation path in the PD profile which is returning the pernr? Ideally this
evaluation path with the same start object should return the same hierarchical tree in PPST. I
normally use the evaluation o-o-s-p in returning the org structure of a company while building
PD profiles.
Q. HR Admin is trying to recruit (Hiring process) (T-code: PA40, Info-type 0000, action type
1B-Hiring )one employee to particular position whose position is will active from 01.09.2012.
But Hr admin getting error saying your are not authorize to the position XXXXXX . Here
my doubt is user cant hire a person until the position will active. I mean until it is available in
ORG STRUCTURE (T77UA)? Then only he/she can able to perform hiring actions? Means we
can hire a person on that date when the position is active?
A. A lot of things might be happening. Start by running a security trace and check that you have
all the different auth objects being checked. Then start looking at structural authorizations. Are
you trying to hire to a default position (99999.)? Then check auth switches DFCON or
ORGPD as applicable in your setup.
Q. I set up a structural authorization in OOSP to restrict the view of a person to a specific org
unit only (in PPOSE, PPOME). Its working well, but the person cant seem to view and create
jobs in PPOME. Can u help me determine which evaluation path in OOSP i should give the
user access to?
A. This is more complicated than you think as different evaluation paths return
different objects depending on requirements. Do you need to restrict view for any jobs? If not a
single entry in your PD profile for the object type without specifying any object id or evaluation
path will give access to all jobs. If you need specific jobs, get in touch with your HR team for

Q. This is more complicated than you think as different evaluation paths return
different objects depending on requirements. Do you need to restrict view for any jobs? If not a
single entry in your PD profile for the object type without specifying any object id or evaluation
path will give access to all jobs. If you need specific jobs, get in touch with your HR team for
A. The lines in the PD profile with the just the object type specified denote that this profile gives
access to all values for this object type.
Q. We are implementing structural authorizations and its working perfectly for managers but
employees are unable to see any data not even their own data. We are using get manager function
module for managers and get org assignment for users. under evaluation path I have given O-OS-P FOR both manager and user profile. When I gave * in users role for profile field in
P_ORGINCON it works fine?
A. Do you mean that managers can view data for their reports but users can not view their own
data? Access to users own data is controlled through P_PERNR. You dont need to use a PD
profile for controlling access to own data. You should also check if the access issues are for users
own default position or users trying to access other folks on default position?
Your statement about about * in PROFL in P_ORGINCON suggests this as one of the potential
problems. Access to employees on default positions is controlled through the DFCON auth
switch. There is a separate blog post here which talks about the various values for this flag and
their impact.
Q. I am trying to use function module RH_GET_Person_FROM_USER to get the personnel
number of a user so he can get access only to his pernr in the structural authorizations. When i go
to se37 and test the function module it is working fine. But when i try to use it in structural
profile, its not giving output when the user tries to view his data in PA20. I think i am using
wrong evaluation paths; I tries P-S-O and A008. But no luck. It will be great if you can point me
in the right direction. I am not sure what is the actual relationship type between Person and user
(between P and US object types)?
A. If RH_GET_Person_FROM_USER just returns the pernr from the user id, you do not need
any evaluation path or relationship in the PD profile definition. Just set the object type as P and
Q. I am new to HCM, and in the process of creating roles for our HR users. I want to allow a
group of users access to display all employee types, but only update hourly employees. I cant
seem to find the authorization object that allows this?
A. The key to solving this is to understand how hourly employees are classified in your system.
Typically hourly employees will be a separate employee group/ subgroup. If this holds true for
you client, you can use P_ORGIN or P_ORGINCON for restricting access.

Q. Is the creation of function modules responsibility of the security team or the HR functional
team? Also what are the benefits of function modules?
The function module entry in OOSP (PD Profile Definition) is
meant to determine the start object dynamically during run-time. If you are comfortable
with ABAP no one is really stopping you from writing your own function module. However, in
general security administrators shouldnt be expected to write code. In fact the HR functional
team is also mainly responsible for configuring the system. Writing code is almost exclusively
left to the ABAP team.
Q. Do we need to have indirect role assignments when using Function Modules or would Direct
role assignment work them function modules just fine?
A. The function modules are used for defining PD profiles. There is really no connection
between using FMs in PD profiles and using indirect role assignment.
Q. In OOSP under the auth profiles I see sequence # and different object types, object IDs and
different evaluation pathsso when we assign an authorization profile to the user how does all
this come into play? Like in your example above the profile Manager has so many entries and if
a user A is assigned the profile Manager then what evaluation path does this user get access to?
A. While defining PD profiles through OOSP, please remember that each line (sequence
numbers 1, 2, 3) are independent of each other. Each line will give access to the objects returned
by the evaluation path mentioned under it.
Q. when we assign the auth profile to the user then which authorization profile (which one from
the sequence) is assigned?
A. If you take the example of MANAGER profile, its a single profile with a number of
independent lines in its definition. So every line in the sequence will be independently assigned
to user, once MANAGER is assigned to user in OOSB.
Q. I am facing a peculiar issue with PD profiles. As per business requirements, I have used 2
evaluation paths.
1. O-O-S-P (display only for US)
2. ZU-O-S-P (for IT department only)
ZU = business line (like HR, IT)
O = Org units like US EMEA AUS
I wanted them to work together and I can give a person access to only IT
only in US. However, it doesnt work that way. The user is able to access all ZU-O-S-P which
means he can change Orgs for India also?

A. Check if the evaluation paths are working correctly. Transaction PPST is a good place to
check this. If evaluation path needs to be corrected you would need to get in touch with
OM consultants.
Q. I would like to know if I can view who created a PD Profile on OOSP?
A. If you have table logging set up in your SAP environment, you can look at the changes for the
T77PR customizing objects in transaction OY18 or SCU3.
Q. On Info type 1017 do you know what the exclusion column is all about? We thought that if
you had a large Structural authorization and there was a request for a user to have access for all
but one org unit the column was ticked which seemed to work for PA20.Oa30 access but not for
training and events as it prevented the training catalogue from being displayed. I have read
somewhere else that it is for the exclusion of branch structures from structural authorizations?
A. PD profiles as you probably already know are used to restrict users to a certain set of OM
objects (positions, org units, persons, jobs, etc). The exclusion flag in T77UA table or OOSB or
in IT1017, all serve the same purpose. Once checked, the user with this particular PD profile has
access to all objects which are not part of the PD profile.
Q. I wanted to find out if there is a way of mass removing the PD profiles from the users. We
have 200 users that we are trying to remove and going into OOSB and doing it one at a time
would be probably a days work. Can you please suggest an easier and less painful way of doing
A. I dont believe there is a transaction for mass removal but you can use any of the existing
tools for mass action for removing profiles. Thus either of SECATT, LSMSW or SHDB will
work. This blog already has another post on how to use LSMW for mass user creation. Creating
a script for PD profile removal will follow the same general steps.
Q. I wanted to find out what is the best way to approach this issue. We have multiple time
keepers in the company. Would the best way be that for all the time keepers I create one role and
make personnel area as an org level and assign them the personnel area they are responsible for
and assign them each a PD profile with the correct evaluation path they are supposed to access or
is there another approach I should take?
A. My personal view to use structural authorization only in those cases where, general
authorizations would not be enough to meet requirements. In your case, if timekeepers are
responsible for all individuals in personnel areas, a general authorization solution should be
enough. In the case, where timekeepers are only responsible for certain people in a personnel
area, only then should you be thinking of setting up structural authorizations.
** I think the T-code used to assign PD profiles to users is OOSB where as OOAC is used to
maintain auth switches.

Q. Explain the process of assigning PD profiles to OM objects like positions?

I am not able to navigate to the screen which you have shown above in the example through
PP01/PP03. Kindly explain with some more detailed steps to get to the above screen?
A. PP03 allows you to modify positions. To add PD profiles select the position in PP03, select
the position id in the initial screen, scroll down and highlight PD profiles at the bottom of the
screen, and create the new entries for PD profiles. Its this screen thats copied in the above
article. On saving the entries, the PD profile is attached to the position. The same process can be
used in PP01 as well.
Q. How do you deal with multiple employees seeing their own pay slips? The problem is that we
have managers who are MEs they are a manager within one Org unit and a normal employee in
another org unit. With structural Authorizations they can see their own Org unit and staff. But to
display their pay slip via the portal the program determines that they need to see their second
(third etc) job to which they do not have authorizations to see that employee. Even though it is
their own second record?
A. First of all, this is first time I am hearing the exact term Multiple Employees. Do you mean
employees who have more than one active pernrs using the concept of Concurrent Employment?
How do you identify the different pernrs linked to a ME? Once you find the answer to this
question you need to write a function module (it will follow similar logic to the
RH_GET_MANAGER_ASSIGNMENT function module supplied by SAP) which will
dynamically take the user id of a person and identify the different pernrs assigned to him. This
Function Module should be used as a new line in the existing PD profile for managers.
Q. I would like to understand this from a Blue print perspective in regards to HCM- What I have
at the moment is BPML from the Functional team as a base template to start off..But Im puzzled
how to start off with the requirements gathering-how would I know a specific task/activity to
group it under a Business Role? Is this Functional team driven or Security driven? Since the
workshops between Functional team and the Client happened without involving security team.
How would I best approach it? Please share your thoughts?
A. The job of determining business roles should be owned by the clients as the business roles are
really unique responsibilities of their business users. Start with a meeting where business reps,
functional consultants and security folks are all involved. A simple breakup involves determining
the unique teams working in their company. For HR, you will might have different teams for
recruitment, benefits, compensation, staffing, organization management, payroll, time entry etc.
Some teams might have sub teams as well external, internal and flexible staffing comes to
mind. Once the teams are identified, you can start by building roles and use the SAP* template
roles provided by SAP as guides. Add/ remove t-codes depending on feedback from users and
functional teams. If you are using GRC, run a risk analysis for your roles to see which all have
inherent conflicts and need to be adjusted.

Q. Context based solution (P_ORGINCON) Profile name is added to PROF Field of

P_ORGINCON. T77UA is not updated.
2) BADI HRBAS00_GET_PROFILE (for automatic profile assignment) Does not update table
3) Two functional modules - FM 1- Standard RH_GET_MANAGER_ASSIGNMENT for
managers. FM2 Custom ZFM. For Central HR Professionals which provides access to
Org units based on Contract value in IT0001. Now, we are pulling ECC/HR data to BW system
using 0PA_DS03?
Issue I found everything seems to be working fine (BADI, Standard FM and P_ORGINCON)
in ecc side (RSA3 and on BW side. However, Custom FM works perfectly on ECC side
(displaying data in PPOSE etc.). But it does not show up any records when checked in RSA3. So
data which is going to BW is also not correct. How and where is the problem?
A. Remember that this is a standard extractor delivered as part of the business content and you
might need to tweak the logic to make it work for you. Since, your structural security is working
properly on ECC the matter would be better investigated by one with more experience with
extractors. Also check that the id you are using for RSA3 or running the extraction has full
general and structural authorizations.
Q. The difference between normal mode & expert mode?
A. Using the expert mode allows you to re-read the SU24 check indicator values and defaults
during role maintenance. You can choose to merge these values with the existing values in the
role. The normal mode will not give this option.
Q. we should run RHBAUS02 first and RHBAUS00 later on a periodical basis in a organization
where we can expect daily om changes. Please also elaborate on the use of job RHBAUS02? Are
these jobs still need to be run when we are using context solution to assign profiles to users
through roles using p_orgincon and orgxxcon objects?
A. I think the functionality behind RHBAUS02 is already covered in the post below. Just go
through it as I really dont anything more to say. Normally both these jobs are scheduled to run
in the background. RHBAUS00 should be scheduled once RHBAUS02 has finished.
Q. I have built a PD profile (NEW-ORG) to exclude HR associates from seeing each others
pay(IT0008), while being granted access to update non HR Associate IT0008 records. It was a
tedious process since it involved statically including all ORG UNITS except HR in my OOSP
entries with P_ORGINCON maintained as follows: AUTHC=R, IT=0008, PROFL= (NEWORG). So far it seems to work. The only problem is that only current IT0008 records are blocked
for fellow HR associates. Historical pay records for former position/org assignments are still

visible. From my understanding of CONTEXT AUTHORIZATION, the system only picks up

objects defined by the evaluation path for OBJECTS, in this case OBJ=P and grants access in
table T77UA. Why does a historical assignment still show in T77UA? Is there a way to lock
historical IT0008 records from a SECURITY point of view? OR this can only be done through
TC PA* access?
A. If your PD profile doesnt include the HR org units then how are you even getting read access
to IT0008 of HR associates? Is there are other authorizations which give access to IT 0008?
According to period of responsibility/time logic principles, if you get update access to even a
single info-type record for a pernr, you would have read access to all records for the pernr for the
same info-type. Were the offending pernrs ever on a default position? IF your DFCON switch is
set to give access to all employees with default positions, you will have read access to all their
info-type records.
Q. I have implemented CONTEXT SOLUTION for Time Administrators in different
geographical areas in the organization. When I assign a time Admin role to a test user everything
works okay except that the user only displays half of the PERNRS assigned in T77UA (OOSB)
when he pushes the entry help (match code) button for a wide search of all possible PERNRS.
How do I display the entire list of object type P authorized in T77UA? I have already run the
reports RHBAUS02 followed by RHBAUS00 but the user still matches only about half of the
associates in the branch structure defined by the PD profile. and yes I have assigned the PD
profile in P_ORGINCON field = PROFL. The user is able to update records for all PERNRS
even (if they are not matched) but are authorized via PD profile. How can I display all PERNRS
for users to select from? Where can I verify if there is restriction for match code range? The
PERNRS not visible start from 41000+ AUSTW PERNR=1 and DFCON= 4 to allow access to
non-integrated positions?
A. If you can see a pernr in OOSB, the PD profile is not restricting access. Check the general
authorizations (roles) assigned to the user to find if something is missing. Also in many cases,
the entry help only returns the first 500 or so of the matches. This is certainly not a security error.
Sure you are not facing this issue?
Q. This is one of those instances where you think you have done everything right and yet the
expected results are not what you get. For example when I execute PPOSE, I see two
PERSONS assigned to the same position: Two Admin. Clerks. The only thing different about
them is that one has a PERNR 40473 and the other 42576. They both belong to the same
PERSA, EE, and ESG etc. In one of my P_ORGINCON iterations, I have customized as ff:

The entry help returns all PERNRS <42000 and excludes all PERNRS above 42000. In my
example, both associates' PERNRS should have been returned. My list is only 10 instead of 25
returned via PD profile in OOSB. I have been struggling for weeks to fix this but can't seem to
figure out the missing authorization. If the user enters the PERNR in the PERNR FIELD, he is
able to R/W/E.etc without any problems for all PERNRS in OOSB. Is it possible to restrict a
PERNR range to be returned by search help?
A. Search helps also use the same auth objects as the other reports but I am pretty sure that you
cannot actually restrict by pernr ranges. There might be a problem with config options for the
search helps which are only returning certain pernrs. A quick security check will be to log in
with SAP_ALL and check if you can get 10 or 25 entries in the search helps.
Q. Today I am encountering a problem reading the Authorization profiles although I thought I
understood it fairly well. In OOSB I see a PERNR under object type P. The root object assigned
to the PERNR is say 9000xxxx. When I Execute PPOSE and display 9000xxxx, I expect to find
the person who has been assigned PERNR 9000xxxx. I dont find him but I find him under a
completely different ORG UNIT with a completely different Org unit ID. why is OOSB showing
one root object for the PERNR and the ORG STRUCTURE shows the same PERNR under a
totally different ORG UNIT? How do you get both to be in sync? The beginning date of the
PERNR in OOSB is 07/20/2007-12/31/9999?
A. Trying to relate the views in PPOSE to what you see in OOSB will need you to have
substantial understanding of Org Management and the different configuration options available
in PPOSE. I will not attempt to answer your question as there is just too many things that might
be happening. I would suggest getting in touch with your HCM consultants.
Q. Currently users assigned various PD profiles in UAT client for the structural authorizations,
ESS is one of them, this includes LSO course catalogue by trust, in ESS PD profile we have used
the functional module ZLD_FILTER_COURSEDETERMINE which will run by the evaluation
path L-D-E, so that users will see their own catalogue belongs to their trust/company code.
Problem: Since couple up days users not able to see the course catalogues even though relevant
PD profile and roles assigned the users and users positions, I think this could be table T77UA
table overflow kind of issue, But If I delete the PD profiles and re-assign the PD profile to user
position and run the INDIX generation job, users able to see the course catalogues belongs to
their trust/company code, this is not an additional access, only refreshing the user access by
deleting and re-adding the PD profiles to the positions, this shouldnt be the case at all, if users
has PD profiles assigned to their positions and have entries in the table T77UA, all structural
authorizations should work?

A. Since you have mentioned that re-generating the indexes for the users solve the problem I am
assuming that the PD profiles are returning the correct set of objects. To confirm this check
RHAUTH01 report for the users who are missing course catalog entries. If this report doesnt
show up the required entries you would need to troubleshoot the function module you have
mentioned. Please note that if you are indeed indexing the users, the indexing job should be
scheduled to run every day or at some other periodic interval.
Q. I implemented context authorization with AUTHORIZATION MAIN SWITCHES as ff:
All Other Switches= 0
I tested access grated for the various PD profiles for 104 Time Administrators and everything
worked fine. Now the 2nd phase of my project requires me to clean up 126 Hr Roles. I have also
built Context roles for the users. I noticed today that I forgot to assign a TEST USER to OOSB
and yet he is able to execute PA* T-CODES successfully without any errors. When I check
ENTRY HELP for PERNRS, He is able to return all associates in the organization and maintain
HR master data for the assigned employee sub group. I only assigned the ALL PD Profile in
P_ORGINCON and NOT in OOSB What I expected to happen is a structural authorization
failure. Why did the system fail to catch this on mission? Also check my SWITCH SETINGS. I
know these settings are good for CONTEXT. Did I miss anything?
A. The value of the switches is fine. If you dont have an entry for a user in OOSB, the system
interprets the user to have the same PD profile as the one assigned to SAP*. In all probability
this is what you are facing.
Q. I have configured my OOAC switches as follow:
I do not see how Context will work if ORGDP=0. My understanding of the CONTEXT solution
is that there has to be an intersection between Structural authorization and general authorization.

So far my OOAC switches work with no problems except today I noticed that if ORG
ASSGMNT=00000000 and POSITION = 99999999 then I get an authorization error. You
suggested that PERSA should be assigned the value *. What if the client wants to restrict access
to PERSA as I am facing? How do I get non-integrated positions described above to work
without authorization errors?
2. How do I get RHBAUS02/RHBAUS00 to run immediately following any object assignment
/update to user without always going back into SE38 to run those reports? Can I schedule these
reports to run constantly. I mean immediately following changes in the users object repository?
A. The switch ORGPD was used for Structural Authorization in a non context scenario. In the
context solution, ORGPD has been replaced by DFCON which controls access to non integrated
pernr and INCON, XXCON and NNCON switches which control the authority checks for PA
auth objects. In your case the ORGPD value is interfering with the DFCON value and restricting
access. Try changing value to 0 which should take care of the issue you reported. The best
practice while using RHBAUS02/RHBAUS00 is to schedule it to run in background once every
day. As far as I know you cannot automate it to run every time the OM structure is changed
neither is it advisable to run them like this as that would cause a needless load on server
resource. Also investigate if you need these jobs at all. As long as the OM objects per user is less
than 1000 or so, these jobs are not going to make too much of a difference.
Q. How does MSS PD profile work? Is the MSS PD profile also provided as default from SAP
like the ALL PD profile? Can you provide some insight into automating MSSPD profile assignment to managers? My strategy is to assign the MSS PD profile to each
managers position in the structure as well as in each MSS role and then scheduling RHPROFL0
to update T77UA. Do I need to build each MSS PD profile based on root object or does it work
like a function module?
A. SAP provides a standard function module to determine the start object for a manager profile.
To the best of my knowledge, you would have to build the PD profile yourself as I dont believe
SAP doesnt provide any profile to work out of the box. For automating assignment, you can
assign the PD profile to each managers profile and run RHPROFL0 as you have been doing.
Q. Currently we are using standard role based security for HCM system (SAP ECC 6.), and
client wants to go for Structural authorization.
Current set up is like below.
Authorization object is P_ORGIN and Authorization switch Values (OOAC) are like below
AUTSW ADAYS 15 HR: Tolerance Time for Authorization Check
AUTSW APPRO 0 HR: Test Procedures
AUTSW DFCON 1 HR: Default Position (Context)
AUTSW INCON 0 HR: Master Data (Context)
AUTSW NNCON 0 HR: Customer-Specific Authorization Check (Context)
AUTSW NNNNN 0 HR: Customer-Specific Authorization Check

AUTSW ORGIN 1 HR: Master Data

AUTSW ORGPD 0 HR: Structural Authorization Check
AUTSW ORGXX 0 HR: Master Data Extended Check
AUTSW PERNR 0 HR: Master Data Personnel Number Check
AUTSW XXCON 0 HR: Master Data Enhanced Check (Context)
I need some help/Guidance on below.
1. We have employees with default positions 9* and do not have any organizational assignment
(in IT0001), what switch should I enable and what should be the value (I have gone through the
documentation already, but I need recommendation).in order to get the report on these
2. We have Employees with Positions starting 8* and 7* and do not have any organizational
assignment (in IT0001), as these employees are not assigned with SAP default positions, how do
I handle this in order to get the report on these employees. Is anybody having similar situation
and what are the best practices are followed (Like usage of BADIs and Function Modules etc).
3. Can authorization switches DFCON and ORGPD can be enabled at the same time?
4. Whether DFCON will work along with P_ORGIN, because I did some testing but seem to be
not working. Responses will be highly appreciated and correct recommendations will be
A. For plain structural authorizations, you use ORGPD. For the context solution, you use
DFCON in combination of with either of INCON, XXCON or NNCON. Whether you use the
context solution is driven by requirements.
2. DFCON/ORGPD values are again driven by requirements and who should be able to see the
people on default position. There is no general guidance as such.
3. Where in the Org Hierarchy do the employee positions starting with 8* and 9* fall in. The
structural authorization concept first evaluates the org structure and only evaluates the Org Unit
in IT 0001 for non integrated positions, i.e. positions which are not part of the standard OM
Q. Can you please suggest if there is any standard solution for accessing terminated employees in
delimited Org Units? We are using context authorizations, DFCON= 1. When employee is
terminated, Org Unit value remains the same (e.g. 00000001). So when Org Unit is delimited,
then it is not included in any PD profiles. As a result HR is not able to re-hire employees in
delimited Org Units. Earlier we had DFCON= 4, but it was allowing HR users to access also
employees out of their area of responsibility, which was not acceptable?

A. If a HR Administrator has access to an Org Unit, and I believe they still do after terminating
the person, they shouldnt be facing a authorization problem for re-hiring. This might be a
configuration problem with the re-hire action rather than security but again I might not be getting
the complete picture via your comment. Note that its the persons record that gets delimited and
not the org unit itself. If the org unit itself is delimited, it really is no longer a part of your org
hierarchy and no one should be able to hire into it. Also not a solution to your problem but
configuration option that I have encountered in multiple installations is to put all terminated
employees into a org unit specifically built for terminated employees. All HR administrators are
set up with access to this org unit.
Q. How do we limit access on the default position employees or employees without a Org unit?
We have tried various combinations of the T77S0 switches without much luck. We either end up
taking away all access or giving full access to these employees
Here is the issue:
ALL our users are able to see the following
Employees that were in default position (9999999) OR Employees that DONT have a Org Unit
This is our T77S0 set up currently
AUTSW DFCON 3 HR: Default Position (Context)
AUTSW INCON 1 HR: Master Data (Context)
AUTSW NNCON 0 HR: Customer-Specific Authorization Check (Context)
AUTSW NNNNN 0 HR: Customer-Specific Authorization Check
AUTSW ORGIN 0 HR: Master Data
AUTSW ORGPD 1 HR: Structural Authorization Check
AUTSW ORGXX 0 HR: Master Data Extended Check
AUTSW PERNR 1 HR: Master Data Personnel Number Check
Here is P_ORGINCON on one of our display roles
HR: Master Data with Context
Authorization level M, R
Info type 0000-9999
Personnel Area US01
Employee Group *
Employee Subgroup *
Authorization Profile ALL
Subtype *
Organizational Key *
And here is how our ALL profile is set up
Authorization profile Sequence number Plan Version Object Type Object ID Evaluation Path
Status vec. Display depth Sign Maintenance Period Function module ALL 000 ** * 000000000

A. This is controlled by the different values of the DFCON and ORGPD switches. This post talks
about all the different behaviors that can be achieved. Please read through them to understand
what each of the values do. However, for people on the default position without an org unit in
PA0001, you can only either give access or deny access through the standard security. If you
need finer control, one option might be to move different groups of people into different orgs in
PA0001. Also, I would suggest changing ORGPD to 0 as you seem to be using the context
solution. For context solution, DFCON switch is sufficient to control access to people on default
Q. We are having a default position i.e. 99999999 in the organization structure. Any user who is
not assigned to any position will be automatically gets assigned to this default position. i want to
add a role to this position but system says position does not exist?
A. I have never actually tried doing this but I believe the system will not allow you to add roles
to the default position as this is not really an actual position in the org structure. Since these
people on 99999. Position are not actually part of the org structure, indirect role assignment
probably would not work for them. I think you are trying to set default access for all users? One
way of handling this to add the default access when the user masters for new users are actually
being created.
Q. Will users need their old access even if they move to a new position? How do we achieve
this, do we map a single pernr/object ID to more than one position? When a person changes
position, wouldnt the roles associated with prev. position assignment (which doesnt exist
anymore for the user) get auto-removed by system?
A. The indirect position role assignment will remove the access once a person moves to a new
position. I am yet to see a standard way to achieve this without significant amount of coding.
Q. Do we need to maintain all the entries as you have maintained them in ooaw or simply
maintain a single entry for AG? Also what will the relating object be? I am assuming it would be
Position (S). Secondly I would like to have indirect role assignment ONLY for MSS access. I do
not want any other indirect role assignments. Do you think I need to be careful of it
compromising some other functionality? Looking forward to your response?
A. The default definition of the evaluation path should already be provided by SAP and for
assigning access to positions like in the case of MSS should work without you having to update
this at all. You just assign the MSS role to the manager positions and run PFUD checking the
options for org assignment. You dont need to use indirect assignment of roles for all roles or

Q. Can an end user reset their password by them self in SAP? Please let me is it allowed in SAP
if yes how can we configure this?
A. To change my password, a user would need to know their existing password. You might have
a profile parameter to control this.
In my project functional team has created cases using standard detective role.
Now when they are trying to edit the case, error is shown you do not have edit authorization I
tried to run trace, but all RC codes are 0?
A. The next step would be to contact the CRM functional consultant for inputs if trace returns
nothing here. Google can help as well. I dont have access to CRM system to try out the
Q. We have just set up CRM and when I go in and look at the roles, the objects sales
organization, distribution channel etc. are not appearing in the organizational levels list in PFCG.
They have been pulled into the role, but dont seem to appear as organization levels. As a result I
wont be able to use master-derived on the sales org and dist channel. Is there something wrong
with the tables in CRM or should it be like this?
This appears to be a general question and not
expressly dealing with CRM. A lot of authorization fields delivered by SAP are not org levels in
the default set up. The sure way to check is to look at the entries in the USORG table ( these are
the fields which are set up as org levels in your client). Depending on your requirements you can

always convert an authorization field to an org level by using the standard program
PFCG_ORGFIELD_CREATE. However, a few precautions need to be taken before and after
running the program. Please do you a quick search for the program in Google and its
documentation before running it. Hope this helps!
Q. I have struggle in finding the custom component in authorization default UIU_COMP.I came
to know there will be a report when we run all the custom components are found when you
search in Authorization default UIU_COMP?
A. The values in UIU_COMP are derived from the CRM UI links. So in all probability there will
be CRM functional reports for the same. From security standpoint, you can look up the object
UIU_COMP for External Services in SU24. That would give you all the component names
where UIU_COMP is checked and what values are needed in the role to authorize the access.
Q. how we would update the PFCG role once the business role is updated. i created a PFCG role
by importing the text file created after running the CRMD_UI_ROLE_PREPARE program, but
now the business role has been updated with more functionality, how can i update the PFCG role
with that functionality, do I have to again create a new role menu through the program and
update PFCG role menu by importing the file. Or is there any other way ?
A. For changes to an existing role, you can just add the services (UI applications) that were
added to the business role to the security role. The SU24 defaults for these new services would
be automatically pulled into the role when you try to maintain the authorization for the role.
Otherwise you can continue to use the CRMD_UI_ROLE_PREPARE program and basically
build the role for scratch. However, this looks like more work to me.
Q. If there is a way/report that can check for all vacant positions with Security Roles assign to it.
As I am trying to clean up all my security risk by take off all security roles attached to the
position which no longer occupied?
A. I am not aware of a standard SAP report to perform this job. However, you can find
the vacant positions from table HRP1007 and the roles assigned to positions from table
HRP1001. You can export these tables to excel/access and analyze the data. A simple join should
get you the data you need. Otherwise you can try creating a join for the two tables in SQVI.
Q. How to check missing authorizations in SAP CRM by SU53 or ST01 or any other tool for
analysis for SAP CRM Web UI type system?
A. Both SU53 or ST01 work in CRM as they do on ECC. For WebUI type analysis, I find ST01
to be more helpful as even a single UI screen will have multiple web services and a trace
will display the authority checks for all of them.


Q. Explain me about what is XRPM?
A. SAP xRPM is one of the new generation solutions from SAP. I had only very little exposure
to xRPM in one of my earlier projects where we used it for Project Management. I have not used
it enough to give out any meaningful information. Good luck with your search though.
Q. Do the work we don enterprise portal or more specifically on Java end in SAP is called
Identity Management. for e.g. creating users on EP, using UME, Visual Manager, SSO, and
other configurations..Are these the part of IDM or does it cover something else?
A. You are referring to the SAP IDM solution which is completely different from what is
covered in the blog. SAP IDM is SAPs latest tool to manage identities (which included user
provisioning) across diverse enterprise systems. SAP IDM is similar in function to CUA but with
far more functions built in.
Q. How to identify the ACTIONS in UME. For EX: in our team trainee is joined for that guy i
want to give access to only view. Is there any such type of Actions available?
A. I am not aware of any quick and dirty way of identifying actions, but this might be due to my
own limited knowledge on the subject. The actions are exposed by the individual java
applications and would change across different apps. Most of the time, the documentation around
the java applications talk about the actions or roles needed for a particular functionality. Such is
the case for any of the GRC applications, where the installation guides talk about the
actions/roles needed.

Q. I mean can IDM support the Indirect Role Assignment, or it only supports Direct Role
A. I have just basic exposure to SAP IDM but from what I can remember, our IDM system was
configured to read new hire information from SAP HR system and assign appropriate roles. So I
would say that the configuration options should exist to support indirect role assignment.
However, do note that SAP IDM and the UME Identity Management application are completely
different from each other. The articles in this blog till now only mention the Identity
Management solution in UME, not SAP IDM.

Q. What is length of the User Buffer in SAP System?
A. Normally 3000 characters and we increase up to 5000 characters.
Q. How to find transaction list used by users in last 2 month's?
A. You can find the details in t-code st03n as well if you configured audit log means will get in
sm20. In st03n we can find last 3 months usage transactions for users. The report from st03n it
showing transactions and reports but i need only transactions. Take the Sto3N values and dump
them into TSTC table then check as table will have only transactions.
Q. I want to know info provider and authorization relevant info objects for the all the reports in
the system. Can anyone help which table or combination tables will give this information?
A. Just go to SUIM auth objects and search for S_RS* obj
Table for Info-cube to Info-Object mapping: RSDCUBEIOBJ
1. Use table RSDCUBEIOBJ and can get the list of all info-object corresponding to an Infocube.
2. Feed this list of info-objects in the table RSDCHA and obtain the list of info-objects that are
Auth. Relevant.
3. Feed the Auth-relevant Info-objects in table RSDATRNAV to get the auth-relevant
Navigational attributes.

Q. My requirement is remove the transaction from s_tcode. I have done that by exclude from
range. Even when I check with suim it is not showing that role. But when I assign that single role
to test user, user can able to access that excluded t-code?
A. When u adds a t-code in S_tcode it wont show in suim and its not best practice should add in
menu only. It might be due to calling t-codes. Check in the table TCDCOUPLES and remove the
calling t-codes from the objects P_TCODE / I_TCODE / etc. Please check user's authorization
buffer. The T-code might be a "Called T-code" and the Test user might be getting that T-code
access from some other role already assigned to test user.
Q. I want to compare two users between quality and production. I am trying with suim>comparison->from users-> and across systems. But I am not able give exact rfc destination.
How to find the rfc destination?
A. Simple way...using SUIM segregates the roles form QA and PRD and compares roles using
Q. I copied the roles from production user and created new user in quality for testing. But in
quality test user is not working as expected. So what should I compare? I have done copying
roles in excel both are same?
A. Take su53 using test id and make role comparison.
Q. what is routing rule, give one example?
A. Routing Rule will be used based on conditions at particular stage like No Role Owner Found,
SOD Violations Found, Role Certification, etc. It means if condition is like SOD Violations
Found at Role Owner Stage from Change User Account then the request will be routed to
Controller Stage in SOD Controller Path...the mapping will be done in Maintain Paths n
Maintain Route Mappings steps of MSMP tool.
Q. what is centralized n decentralized FF?
A. Centralized FF means - you need to login into GRC system and you can use FF IDs from
GRC system itself..T-code GRAC_SPM/GRAC_EAM is for FF ID usage from GRC system.
Decentralized FF Means - You need to login into that particular Plug-In/Backend SAP system to
use FF ID. T-code /n/GRCPI/GRIA_EAM.
Q. Can anyone tell me why Enabler roles will be used in specific organizations? How they are
created and why will a client go for those roles creation in SAP?
A. Enabler concept is not recommended by SAP. It is actually used to reduce the number of
roles. It will eliminate the concept of parent and child role. If your project involves huge number
of derived roles and if you want to cut them down you can go for enabler concept. But it
somehow degrades the SOD analysis efficiency. Someone who has in depth experience please
post your thoughts. Org values are maintained in a separate role ... Here we need to maintain
two types of roles 1. Role with only objects 2. Role with only org values. So if any user asked for

access to any transaction for any org value you may have to assign two or more roles depending
on the requirement.
Q. why an info-object should be made authorization relevant in BW?
A. To get the required data you need to run a query. Each query will have some fields with
restrictions. To restrict those values you need an analysis authorization. You can maintain the
restrictions through Analysis Authorization only when the object is Auth relevant.
Q. what must I check if roles for a user in child system is not reflecting in the CUA?
A. 1. Run SCUL 2. Check in SCUA whether all RFCs are showing green or not. 3. Run Text
comparison from child systems.
Q. list out compelling reasons why we it is best practice to disconnect child system from CUA
before we refresh Child system - Please mention Possible Impact if this is not done.
2. Please help me understand When/ for what purpose is it useful to use RSDELCUA from CUA
and When from Child (I.E. Complete disconnection versus Temporary Disconnection).
A. disconnecting the child system through SCUA for any upgrade is not right practice. Always
run RSDELCUA in CUA system so that it will disconnected completely. For this activity we
should have CUA administrator access. Otherwise after reconnecting the CUA while transferring
the users from child system to CUA using SCUG some users will lost some access. Because
child system was not completely disconnected and still some entries will exist in CUA. That will
cause reverse of CUA entries to child system. Finally user will lose the access.
Q. What is the functionality of s_rs_fold in bi security? Why we need to hide info area push
button? Explain?
A. s_rs_fold main purpose is whether info area button should be visible or not. Its better to be
hided because the End user cant select queries from the Info area button and run random queries
which they are not allowed or authorized.
Q. I have an issue with BI user in prod system, While executing BI report from portal its
showing error " Characteristic Valuation view has no master data for # value or you do not have
authorization" user can able to execute in DEV and QUA systems without any error but access is
same in all the systems. If I assign 0BI_ALL, user can able to execute report. What is the reason
that user can able to execute in DEV and QUA with same authorizations but not able to
execute in PRD??? is it related to portal or BI??
A. Can u do some search on below. I assume you have added # value in your analysis
authorizations. But somehow that is not working in your prod system. There could be 2 reasons:

1) In prod # is not added in Analysis Auth. 2) Some SAP note is missing which allows access for
blank data (#). For 2nd case u need to do some research. May be ca raise a message to Sap.
Q. User is trying to assign mitigation approver and mitigation owner to org.Unit but both are not
visible while mapping to org unit. how will you trouble shoot?
A. Check mitigation approver user and mitigation owner users are created in the system. Go to :
NWBC-> setup -> Organizations-> Click on " Organization" -> Select Child Organization->
click on open-> Go to " Owners" Tab go to " Add row" Here you can add both Approver and
monitor after that these users will reflect .
Q. How to create a single role with su01 display and su10 full access
Note1: Without using su01d
note2: Without creating two separate roles for su01 display and one for su10 full access and
assigning to the user.. And also use variant also... TIA?
A. Not possible. They use same auth objects. Alternatively give access to SU01d. Underlying
objects are same. Only option is to give SU01D.
It can be possible if you control access on User Groups. Display Access on a particular User
Group & maintenance on others. Also you can restrict access on particular Roles & profiles. I
believe it is possible only this way. - when you restrict on user groups the display/maintain
access will be the same in both the t-codes. His requirement is different. Hence suggested
SU01D + SU10.
Q. could anyone explain what are the challenges we face if we give user id as
A. Number of characters in last name and first name my not fit in user id. first name and last
name can be same for many employee in organization !! and it can have more character allowed
by SAP for user ID.
Q. What are internal fire fighter and external fire fighter tell me the differences?
A. Such terms are not used for FF. Just a guess - interviewer may be referring as firefighting
done by IS team as internal FF and the one done when OSS note is raised for SAP support as
external FF ID since it requires a ID similar to FF ID which has almost all the authorization.
Even then it's a FFID. Most of the people who are on the other side of the table want to prove
that they are experts than the candidates. Hence these dumb and crazy questions.

Q. "configuration is locked by user" in msmp. How can I resolve this?

A. GoTo sm12 delete the table lock entries. Kill account using (t-code sm66).
Q. When a user logs in with the correct password he can log in to SAP system but if by chance
he enters a wrong password and then try to log in with the correct password, SAP system is
asking to change the password? User is a Dialog user and everything is fine in table USR02.
A. The only reason can be that when a user logs in with wrong password, the password status
converts from Productive password to initial password. This can be done by a custom program
which triggers such change.
Q. We got one request where user has to use the role only in specific locations, so we created a
new role and restricted through org level values. But still user is able to perform all activities in
all locations?
A. ser may be getting authorization from other roles. Better to do UAT WITH single role which
u have created with org value restriction and trace it where user is getting access to other
locations. Check objects S_USER_GRP. And also check the respective org value in auth object.
Sometimes we maintain values in both places org levels tab and in auth object level.

Q. Enabler role concept?

A. Enabler roles are the ones where the t-codes and non org objects are maintained in one role
and org values are maintained in another. User will get access to the t-codes when both the roles
are assigned. Enabler roles are not a recommended approach of maintaining the authorizations
as it allows people to do backdoor transactions. Even the Risk Analysis can't identify all the risks
and you may end up with false positives. I do see some organizations that are using enabler roles
even today, but if you are a solution architect, you should provide them the pros and cons and
educate them.
Q. In FF-ID why youre using user type is service and why not dialog let me Explain?
A. Change the user type to Dialogue instead of Service. You would know the answer. It will
work for dialog as well.... The reason we use service user because the password for service user
doesn't expire... So no need to reset password after every time it expires. FF ID can use only
Dialog, Service, if you put FF ID as System, Communication, whenever youre trying to use FF
ID again it will ask the password and only Dialog, Service can use for FF ID, If you use Dialog
for FF ID, need to pay license cost to SAP, if you use Service no need to pay license cost. and
Password also will not expire and ask.

Q. how do we get default variables & templates in VARIABLES & TEMPLATES steps in
A. You have to activate the MSMP BC Set that will get the default variables and templates.
Check in SCPR20 transaction code.
*** Go to usr02 table and in uflag specify the value 64 and 192 then get the list for required
dates. Increase the table width and output range just you need to set 9999 and 99999 in last two
fields in the table.. By default it was 200 and 250.
Q. when will we convert authorization field into organization field?
A. Whenever you want to control any filed value by plant level then we need to create global
value to Org value. .
Ex: authorization group is global field now I want to convert this filed to org value .
1. go to se38 t-code and given pfcg_orgfield_create
2.give filed name which field you want to convert to org field.
3. Uncheck the test run option
Q. How can we extract the list of user Email ID's in ECC?
A. you can find user id and personal number in table USR21 and personal number and email id
in Table AG(D)R6 and map them.
Q. Which are fields cant be maintained the user through SU10?
A. you can maintain everything except password and user address data.
Q. How to move all the users from plant to other plant?
A. First in agr_1252 give org levels - plant, value give of plant execute Copy all roles and check
in agr_users . You will get list of all users for that particular plant.
Q. why we give org values in derived role only in parent and derived role concept anyone tell me
the reason?
A. Let take example as branches for a firm, there are 3 branches India Australia Singapore.
Branches take example as company code, plant etc India derived role users restricted access only
Indian company code plant etc Same derive roles follow org levels with Australia and Singapore.
Q. Do you know of a table which can show the list of t-codes related to a particular authorization

A. Table is USOBT for standard, USOBT_C for custom .Other option is go to SU24 select Auth
object tab and give the required Auth object and execute you will get list of t-codes which are
associated with that object.
Q. how to generate non-generated profiles?
A. In supc t-code we have options
1.roles with noncurrent profiles
2.also roles to be compared
3.roles with no authorization data
4.all roles
5.roles with current profiles for new generation.
Q. How to check deleted custom transaction history on SAP? Since the t-code is available on
role but not in tstc table?
A. Go to suim - change documents- give role name and execute. Check in AGR_1251 and
AGR_TCODES tables. You may find the entry.
Q. How to check deleted custom transaction history on SAP?
A. SM20
Q. can anyone tell me what is the use of Transport of copies and Relocations?
A. Transport of copies allows you to transport sub objects in an object list into any other SAP
systems in which you want to. we use relocation TR when development system of a complete
package is to be changed on permanent basis.
Q. Can you guys please tell me the t-code to see all the list of programs in sap system?
A. Se16 with table TRDIR
Q. Anyone knows that how can we identify who has created critical auth variants in SUIM?
A. Got you. There is no trace for the table. You need to enable trace for the respective table
where you are maintaining variables and check in SCU3.
Q. Hi Any one can you please explain Difference b/w ECC Security & B.W Security, What is
important Authorization objects for B.W security?

A. BW security mainly based on analysis authorization which we need to protect info cubes, info
objects, OLAP and queries also its divided into 2 areas, authorization for administrators and
authorization for business users but for R/3 security its mainly based on t-codes and
authorization is controlled via authorization objects using profiles and roles. S_RS_COMP,
Q. how can I mass update 2 auth objects in all the roles they have been assigned to TIA?
A. You can update the Activity n values in SU24 for that object against t-code and regenerate the
role via expert mode(provided if this doesn't impact your business) n needs thorough testing
before moving the roles further to higher systems .
Q. User transfer to CUA - what do we do regarding the users who have default printers setup?
These users are not transferred to CUA. Any suggestions other than creation of these printers in
A. check in scum what type of distribution is set in defaults tab for printer. if global it will push
printer name to child system every time a change is made in central system to printer name for
Q. Once the tracing is completed (ST01), how can we resolve the issue for the user without
tracing codes?
A. RC =0 Successful (user is authorized)
RC =4 Failed - user does not have authorizations but does have the authorization object in their
buffer (different authorization combination though)
RC = 12 Failed - user does not have the authorization AND does not have not have the
authorization object in their buffer.
Q. Is it possible to delete the inheritance relationship on roles for multiple roles in a single time?
A. Yes. You can use scripts like lsmw or secatt and record for one role and run the same for all
other roles... It will work.
Q. I would like to know if there is a possibility that authorizations get added to roles when you
remove t-code from it... Kindly help me understand why this could happen or what can I check to
know from where these "un-wanted" authorizations came in from?

A. check if the standard values of this object was changed earlier without duplicating it , incase if
the standard value was changed then check from which t-code its getting u have an option inside
the authorization tab to check it and then duplicate the standard value ,maintain your values
manually and deactivate the standard one .when u change the standard values of the objects
pulled through the t-code it will keep on pulling the object every time u change the role ,so its
always better to duplicate it and deactivate the standard values.
Q. What are the few required checks one has to perform in the system to maintain the system
according to SOX Compliance? If one has get the open system so what checks he/she has to
perform to go with the regulation?
A. Basic SOX rules : who has change debug, maintain user master, change idocs, execute &
maintain OS commands, import TR, system admin functions, assignment of profiles to
themselves, change client settings, batch/background job admin access. Change profile
parameters access, TemSe objects, change owner of spool, lock/unlock SAP*, DDIC,
Q. Where we can extract the LIST OF USER EMAIL ID's from the table?
A. You need to Use two tables simple Vlookup you can get it (USR21 and ADR6)
Q. Even after connecting the child system to the CUA I am able to assign roles to users in child
system also, though user creation is still being done in central system?
A. role assignment checked as global instead of central. Please check configuration steps. Cross
check whether the target system mapped properly or not, and also checks the If all the
settings are correctly preformed then execute the t-code BDM5 in CUA and perform consistency
check for respective systems.
Q. In pfcg when we will do the inactive/deactivate the authorization object?
A. In export mode if we choose 3 rd option read old status and new status for the changed status
to the object we will copy the object and deactivate it by doing so in future if we add a t-code
and if in case it pulls the same object with same field values and if we changed it , it detect and if
coming from same t code it will not pull again.
Q. we are done SAP upgrade and the user is having same roles in both systems but they are not
able to use SUIM and its throwing "NO AUTH" Error.
A. Have you regenerated all the roles by using Expert mode 3rd option? If not, you may facing
this kind of issues. Ask user to restart the user buffer.

Q. How to extract all people numbers for user Ids (HR numbers) in ECC? Not the person number
that we see in USR21 table, but the maintained sales representative numbers for CRM users in
A. Please take a look into BUT050 & BUT100 tables, what you mean by HR numbers? Is it
PERNR numbers? If it is PERNR then u can find in 1. Table PA0105 and use subtype 0001. 2. In
PA20 press F4 and enter the user id in one of the tabs which has ID/username and once your
press enters with the desired user id you will get all the required information along with the
Q. unexpectedly I locked all the users in client 800,and am unavailable to open to any of the
client even with sap*/ddic users( getting or password incorrect).so how could i solve this
issue? As am new to sap?
A. Use t-code ewz5 and select all users who are unlocked.
For Oracle database
login to the system with <SID>adm user
open command prompt
Connect to the database :
<sid>adm > sqlplus / as sysdba
In the command line use the SQL Statement:
SQL> delete from <SAPschema>.usr02 where bname=SAP* and MANDT='Client No'
SQL> exit
For unlocking single user
SQL>update SAPSR3.USR02 set UFLAG='00' where BNAME='SAP*' and MANDT='Client
For unlocking all users
SQL>UPDATE sapsr3.USR02 set UFLAG ='00' where MANDT ='Client no'
For SQL Database
open MsSql management studio and connect to the database

execute the following query

For unlocking single user
update sid.USR02 set UFLAG='00' where BNAME='SAP*' and MANDT='Client No'
For unlocking all users
UPDATE sid.USR02 set UFLAG ='00' where MANDT ='Client no'
Q. when a master role is modified how many tables are affected. What are they?
A. For a few change in SAP nos of table get changed!! But here main table is AGR_1252 which
gets entry of org valve maintained in derived role!! But remember thats not the only table!!
Q. How many ways a user can be locked? And also explains how many number of locks used in
A. 32: locked by cua admin
64: locked by system admin
128: locked by incorrect logon.
16: mystery locks
192(not sure): locked due to incorrect logon and then locked by system.
You can check the lock entries in USR02.
Q. I have a strange situation in BW 7.4 version. I changed below info objects as auth relevant in
0SALESORG, after turning them as auth relevant and activating, I created an analysis
authorization ZTEST1 in rsecadmin and added these 5 objects with appropriate values. Then
saved and activated the AA (BW7.4 version asks to activate the AA). Before this, there was no
info object as auth relevant. But 0BI_ALL was still having 4 special info objects (0TCAIPROV,
0TCAVALID, 0TCAACTVT and one more, I forgot the name). Thats alright. Now even after
above changes, I can't find any data in rsecval table for ZTEST1 analysis authorization.
0BI_ALL also doesn't show the new auth relevant info objects. I have tried to update
authorization for 0BI_ALL in rsecadmin, but with no success. Do any of you know what could
be the issue here?
A. U need to use migration tool 2 get all your info objects rsecadmin u will find
migration tool in one of the menu drop downs.
Q. How to find 500 users validity at a time?
A. SU10 > authorization data > user > put all the names there and then execute... it will display a
screen, with all details of all users.Usr02 u will get the user id and validity, but via SU10 it will

give you the data like user id, user full name, validity etc., u can see the required details using
RSUSR200 program.
Q. If a user id has been deleted accidently, then the user prompts with the same user id with same
authorizations then how will you further in this regard?
A. suim-Change documents-keep the user id and u will get all information for the user id like a
log report and create new user id accordingly.
Q. what is the procedure for adding custom t-code to role? And what are the things we need to
check, please explain briefly?
A. 1. Check with the developer if they've put any authority check statements against any auth
objects. If they haven't already, ask them to do so.2. Create a dummy pfcg role in unit test client
and add the custom t-code to its menu.3. Create a test user id with only this dummy role and
request functional team test the custom t-code while u have system trace (st01) turned on.4. Keep
updating the dummy role with required authorizations until unit testing is successful.5.
Leveraging the required auth objects & values info gathered above; maintain SU24 settings for
custom t-code, then add the custom t-code to required pfcg role's menu tab and maintain auth
values identified in authorization tab accordingly in dev source client.6. Now you should be good
to transport/promote this role forward.
Q. How is the impact on roles when we convert authorization field into organization field?
A. You need to update org fields after this change otherwise roles will be inconsistent.
Q. if we have any t-code or table to view who has changed the license type in su01?
A. Go to Su01-> information-> Change documents for the User.
Q. How to move all the users from plant to other plant?
A. We extract plant users using SUIM. SUIM - users -users by complex criteria - then we have to
give plant object and plant value .once we execute with values will get list of plant users.
Q. When a user logs in with the correct password he can log in to SAP system but if by chance
he enters a wrong password and then try to log in with the correct password, SAP system is
asking to change the password? User is a Dialog user and everything is fine in table USR02?
A. check all the parameters regarding incorrect logon. To reset password, there is a timeline set
in parameters also for incorrect password logon too. There only the solution will be (as far as I
know). Just do some R&D and play with parameters for logon and password, you will get the
Q. What is the difference between ST01 and STAUTHTRACE t-code and why STAUTHTRCE
in place?

A. STAUTHTRACE can be used for Authorization Trace only, similar to check box in ST01 for
Authorizations. System wide Trace can be activated without worrying about switching to Server
where user is logged in. Most important, Trace output is user friendly, easy to analyze and
extract to spreadsheet.
Q. When do we create transport requests in production system?
A. we never ever create a TR I'm production as we r authorization members. In fact you won't
get chance to do as data moving starts from DEV to PRD via Qa. Moreover, PRD system does
not have any target systems.
Q. Is there a way to find out what a user did in SAP system on a particular day?
A. SM20 is only the audit log. It needs configuration and does capture everything a user did.
Stad only captures started transactions, but does not show all actions done within a transaction.
You need to compare it with change logs of tables. Depending if table logging is switched on.
Q. Why do we need Composite role? Does Composite Role have authorizations?
Composite role is combination of different single role. By assigning multiples of single
roles we can directly assign 1 composite role to the users. We dont maintain any authors in
composite role. Composite role having single roles and we already maintained authors in that
single roles. You need some information on this just search in sap.scn.
Q. how to get organization values in composite role?
A. Check PRGN_1252_READ_ORG_LEVELS function modules.
Q. I would like to know if there is a possibility that authorizations get added to roles when you
remove t-code from it... Kindly help me understand why this could happen or what can I check to
know from where these "un-wanted" authorizations came in from?
A. When u remove t-code from role all relevant su24 auth gets removed. No auth are added. May
be u would have updated the role objects values with su24 values. I mean the values in fields of
objects were changed to something than what maintained in su24 and while removing t code
from role u would have selected the option expert mode. So role has got values from su24. You
can sew changed values in pfcg change auth screen. The maintenance status of objects tells u the
changes made in values.
Q. How to pull report of users who have logged in since 01.01.2015 to 26.03.2015.
Its for not Last Login, I cannot use RSUSR200 or USR02 and don't have authorization for
SM19 and SM20. Need to find out list of users who have logged into system for different
number of sessions on different dates. For example 1 user may Logged on a day for different
A. Execute ST03N-> Select Date->User and settlement statistics ->User profile

Q. How to know who deleted/added roles to a user in sap? I need to check the activities made to
a user. Why the role is gone and who did that?
A. SU01 --> Information --> Change Document for users (Provide the User ID, from date and
end date) and Select the Roles/Profiles.
Q. we are done SAP upgrade and the user is having same roles in both systems but they are not
able to use SUIM and its throwing "NO AUTH" Error. Could you please advise me how to
check the notes are implemented or not?
A. Go TO ST13 - run report RSECNOTE in that tool - after that u will get total report of security
notes - and u will able to check. Notes implemented or not.
Q. How to lock the mass users in sap portal?
A. Su01 or EWz5 to lock mass user/ 1) SAP Net Weaver Identity Management offers additional
functions, enabling you to trigger the locking of users automatically and removing all
authorizations, say if your HR system changed the users status enabling you to trigger the
locking of users automatically and removing all authorizations, say if your HR system changed
the users status. 2)you already have list of users-> Create a group->Add this group to all the
users->Start identity management and display all users who are members of this group->From
the Table selection menu, choose Select All->lock. 3) SU10 ,The problem with EWZ5 is that you
have all the background and service users also listed.

Q. Change request management?

A. Role modification/creation, user modification, role assignment such as activities will comes
under Change management. While creating a ticket, above activities will be created under
change management.
Q. what is the business workflow of your company?
A. Interview question.
Q."How to trace background job authorization issues?"
A. set the background job to run on a SPECIFIC INSTANCE like "Instance02" in SM51.Put the
trace through ST01 in Instance02 for the step USER used in background job/ t-code
STAUTHTRACE should suffice your requirement.
Q. I've secatt script for the deletion of all roles for mass users. While running the script I'm
facing this error "Error in eCATT command TCD SU01 Message no. ECATT507A TT 377
Control data is obsolete, rerecord (VERBS-NAME: GRIDMODIFIED CATT:
GETEVENTPARAM Call. no: 000030). Does anyone familiar of this error? Or is there any
alternate for this?

A. Better try with GUI recording method. And if you are running the query in another system,
check the RFC connection, RFC users status. Anyhow if your requirement is to remove to
multiple roles from multiples users, you can do the easily from SU10 in less than 5 mins efforts.
Q. Role changes process?
A. By using ccb (change control board) with respective modules in quality system we can change
the roles.
Q. I need one help, how to find the particular T. code used by user on particular Date, if we don't
know date is there any t code to find the above information?
A. ST03N you can find Expert mode click on Total ---> then click on Transaction Profile ---->
click on Standard Profile --->you can find user Profile Just click on that.
Q. Where we can add Reference type user id?
A. GoTo PFGC select the role for which you want to add the Reference user and select change
mode and go to roles tab there you can find Reference user for additional rights then assign the
Reference user in that option. Reference user for additional rights option available in SU01 not in
PFCG. Generally, If the user already have access to 312 profiles but user need additional access
then we can give the additional access through the reference user
Q. Can anyone tell me why Enabler roles will be used in specific organizations? How they are
created and why will a client go for those roles creation in SAP?
A. Enabler role is nothing but a child role. In the T-code level role, we disable all org level auth
objects and maintain these objects in template role (parent role) manually with org values as (' ')
and create the child role (Enabler role) and mapped to parent roles with specific org vales as
XXxx. Security team will assign both T-code level role and enabler role (XXXX), then user can
perform only for that XXXX Company code activities.
Q. We got one request where user has to use the role only in specific locations, so we created a
new role and restricted through org level values. But still user is able to perform all activities in
all locations?
A. 1. Maintaining Org levels manually doesn't work always.
2. If u r manually adding org level makes sure the auth object which will check the org values
has a field value blank.
3. Check if that user has some other role with the same auth object maintained with * activity.
Q. list out compelling reasons why we it is best practice to disconnect child system from CUA
before we REFRESH Child system - Please mention Possible Impact if this is not done?

A. There 2 reasons 1. Say if 1 PRD system is connected to 5 other PRD systems, then when you
do system copy to QAS system, then the QAS system will become parent and the old 5 PRD
system will became child system. It's a risk
2. After refreshing child system without removing the connections then it's default to delete the
Q. I want to take trace, but user is logging through portal. How to take trace for that user?
A. You can use the transaction al08 to see what application server the user is currently logged
onto. And after you get that information you can go to the transaction sm50/sm51 to hop into that
application server and activate the trace.
Q. how to create user in sap if create button is not there?
A. If you are creating user in CUA child system then there is no Create button...
Q. In ST01, after analysis we does get a log. But, After successful trace (Filters with correct time
stamp n all) the log is empty. What can be the reason?
A. Just check in which application server user is getting the error and put the trace on the User
ID in same application server... u can see list of application server in SM51 as suggested
above... log should be generated... if you would have correctly put d trace on the req. id in
correct application server and with correct time stamp... never seen such case... will actually have
to drill down the issue.. (How d trace and what activity user is doing) I hope so he is doing in
ECC only and not in portal.
Q. How to assign reference user to dialog user?
A. Go to SU01 -> Give User ID -> Enter into Change Mode -> Go to Roles tab -> you can find a
field: "Reference User" -> Enter the Reference User ID & Save. Now, the Reference User is
assigned to the Dialog User.
Q. what purpose for creating analysis authorization in bi security?
A. To access the reports like workbooks and query reports.
Q. what is the alternate t-code for su01?
A. if the user doesnt have SU01 t-code still user can perform similar access using all these tcodes OMDL, OMEH, OMWF, OPF0, OTZ1, OY27, OY28, OY29, OY30.
Q. How do you check if a Position in Sap has any roles assigned to it?
A. PO13D-->select plan version as current version--->select Relationship info-type--->click on
overview button at menu bar..Hope this helps you. (Or) you can also find in table HRP1001
Q. what does the text compare on the role tab do in a sap cua environment?
A. Text comparison will generate the data of data which is in child systems. All the roles, user
data will be stored in cua system so that we can work with the child system data from cua itself.

Q. can we use CUA to execute any report or does it support SUIM? We have 15 systems with
50+ clients and need to fetch user list having SAP_ALL every fortnight!! Client is asking to use
A. you can use CUA for fetching the report. In SUIM you can pull the report through SUIM -->
USERS--> Select cross client option on the top. it will fetch you report for all the clients which
are connected to CUA.
Q. Someone had created no. of roles in system and had not maintained all auth obj in same and
generated profiles for them!! When I go in auth tab i can get a lot of unmaintained auth objects!!
How can I find the list of roles which have their profiles generated with unmaintained objects?
A. Go to SUIM>role with complex selection you can find here.
Q. how to check the stack info like ABAP or JAVA or Both?
A. ABAP stack level Go to SPAM. For Java Stack you can follow any of these procedures.
SM51 - On dual stack systems you'll see J2EE amongst the Message Types (see image below,
taken from a Net Weaver PI 7.1 dual stack system). Purely ABAP systems won't have it listed.
SM51 on dual stack system: SMICM - Check the list of services in transaction SMICM (menu:
Go to --> Services) - dual stack systems will have the J2EE services listed too (look for P4 and
IIOP in particular). There will also be an AS Java menu in SMICM on ABAP+Java systems.
Profile parameters - ABAP+Java systems will have J2EE-specific parameters in their
start/instance profiles (for example, rdisp/j2ee_start).
Q. How to add 100 to 200 t-codes to a role at a time?
A. you can directly add T-codes to role menu from PFCG... Use "Insert from clipboard (Shift +
F12) " option./You " directly to add t-codes (menu from pfcg... Use the "insert from clipboard (
shift + bring)" show.
Q. When I am transporting a role from dev to Quality it profile status is changing to yellow and i
re-transported after regenerating the roles?
A. SM30 open table PRGN_CUST. Click F4, make entry in the table "transport Generated Role"
check default value is YES and save the table then try to transport the role.
Q. How would I generate a list of executable t-codes for all users? It would be similar to using
SUIM to see executable t-codes for single user but I need a list of all executable t-codes?
A. STEP 1: List out all users in SAP using table usr02..... STEP 2: Go in table AGR_USERS to
find out all the roles assigned to users in SAP system. You will find out all the roles in system
whichever is assigned to any user. STEP 3: go to table AGR_TCODES and copy all the roles
which you got in step2. Execute and you will get your result.

